feat: Permettre à l'enseignant de rédiger avec un éditeur riche et joindre des fichiers

Les enseignants avaient besoin de consignes plus claires pour les élèves : le champ description en texte brut ne permettait ni mise en forme ni partage de documents. Cette limitation obligeait à décrire verbalement les ressources au lieu de les joindre directement. L'éditeur WYSIWYG (TipTap) remplace le textarea avec gras, italique, listes et liens. Le contenu HTML est sanitisé côté backend via symfony/html-sanitizer pour prévenir les injections XSS. Les pièces jointes (PDF, JPEG, PNG, max 10 Mo) sont uploadées via une API dédiée avec validation MIME côté domaine et protection path-traversal sur le téléchargement. Les descriptions en texte brut existantes restent lisibles sans migration de données.
2026-03-24 16:08:23 +01:00
parent 93baeb1eaa
commit ab835e5c3d
26 changed files with 2655 additions and 33 deletions
--- a/backend/tests/Unit/Scolarite/Application/Command/UpdateHomework/UpdateHomeworkHandlerTest.php
+++ b/backend/tests/Unit/Scolarite/Application/Command/UpdateHomework/UpdateHomeworkHandlerTest.php
@@ -12,6 +12,7 @@ use App\Administration\Domain\Model\User\UserId;
 use App\Scolarite\Application\Command\UpdateHomework\UpdateHomeworkCommand;
 use App\Scolarite\Application\Command\UpdateHomework\UpdateHomeworkHandler;
 use App\Scolarite\Application\Port\CurrentCalendarProvider;
+use App\Scolarite\Application\Port\HtmlSanitizer;
 use App\Scolarite\Domain\Exception\DateEcheanceInvalideException;
 use App\Scolarite\Domain\Exception\DevoirDejaSupprimeException;
 use App\Scolarite\Domain\Exception\HomeworkNotFoundException;
@@ -172,6 +173,60 @@ final class UpdateHomeworkHandlerTest extends TestCase
        self::assertSame('Exercices sans description', $homework->title);
    }

+    #[Test]
+    public function itSanitizesHtmlDescription(): void
+    {
+        $sanitizer = new class implements HtmlSanitizer {
+            public function sanitize(string $html): string
+            {
+                return strip_tags($html, '<p><strong><em><ul><ol><li><a>');
+            }
+        };
+
+        $handler = $this->createHandlerWithSanitizer($sanitizer);
+        $command = new UpdateHomeworkCommand(
+            tenantId: self::TENANT_ID,
+            homeworkId: (string) $this->existingHomeworkId,
+            teacherId: '550e8400-e29b-41d4-a716-446655440010',
+            title: 'Test sanitize',
+            description: '<p>Texte</p><script>alert("xss")</script>',
+            dueDate: '2026-04-20',
+        );
+
+        $homework = $handler($command);
+
+        self::assertSame('<p>Texte</p>alert("xss")', $homework->description);
+    }
+
+    #[Test]
+    public function itDoesNotSanitizeNullDescription(): void
+    {
+        $sanitizer = new class implements HtmlSanitizer {
+            public bool $called = false;
+
+            public function sanitize(string $html): string
+            {
+                $this->called = true;
+
+                return $html;
+            }
+        };
+
+        $handler = $this->createHandlerWithSanitizer($sanitizer);
+        $command = new UpdateHomeworkCommand(
+            tenantId: self::TENANT_ID,
+            homeworkId: (string) $this->existingHomeworkId,
+            teacherId: '550e8400-e29b-41d4-a716-446655440010',
+            title: 'Test null desc',
+            description: null,
+            dueDate: '2026-04-20',
+        );
+
+        $handler($command);
+
+        self::assertFalse($sanitizer->called);
+    }
+
    #[Test]
    public function itThrowsWhenNotOwner(): void
    {
@@ -206,7 +261,7 @@ final class UpdateHomeworkHandlerTest extends TestCase
        $this->homeworkRepository->save($homework);
    }

-    private function createHandler(): UpdateHomeworkHandler
+    private function createHandlerWithSanitizer(HtmlSanitizer $htmlSanitizer): UpdateHomeworkHandler
    {
        $calendarProvider = new class implements CurrentCalendarProvider {
            public function forCurrentYear(TenantId $tenantId): SchoolCalendar
@@ -224,6 +279,37 @@ final class UpdateHomeworkHandlerTest extends TestCase
            $this->homeworkRepository,
            $calendarProvider,
            new DueDateValidator(),
+            $htmlSanitizer,
+            $this->clock,
+        );
+    }
+
+    private function createHandler(): UpdateHomeworkHandler
+    {
+        $calendarProvider = new class implements CurrentCalendarProvider {
+            public function forCurrentYear(TenantId $tenantId): SchoolCalendar
+            {
+                return SchoolCalendar::reconstitute(
+                    tenantId: $tenantId,
+                    academicYearId: AcademicYearId::fromString('550e8400-e29b-41d4-a716-446655440002'),
+                    zone: null,
+                    entries: [],
+                );
+            }
+        };
+
+        $htmlSanitizer = new class implements HtmlSanitizer {
+            public function sanitize(string $html): string
+            {
+                return $html;
+            }
+        };
+
+        return new UpdateHomeworkHandler(
+            $this->homeworkRepository,
+            $calendarProvider,
+            new DueDateValidator(),
+            $htmlSanitizer,
            $this->clock,
        );
    }