feat: Attribution de rôles multiples par utilisateur

Les utilisateurs Classeo étaient limités à un seul rôle, alors que dans la réalité scolaire un directeur peut aussi être enseignant, ou un parent peut avoir un rôle vie scolaire. Cette limitation obligeait à créer des comptes distincts par fonction. Le modèle User supporte désormais plusieurs rôles simultanés avec basculement via le header. L'admin peut attribuer/retirer des rôles depuis l'interface de gestion, avec des garde-fous : pas d'auto- destitution, pas d'escalade de privilèges (seul SUPER_ADMIN peut attribuer SUPER_ADMIN), vérification du statut actif pour le switch de rôle, et TTL explicite sur le cache de rôle actif.
2026-02-10 07:57:43 +01:00
parent 9ccad77bf0
commit e930c505df
93 changed files with 2527 additions and 165 deletions
--- a/backend/tests/Unit/Administration/Application/Command/AssignRoleHandlerTest.php
+++ b/backend/tests/Unit/Administration/Application/Command/AssignRoleHandlerTest.php
@@ -0,0 +1,116 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Application\Command;
+
+use App\Administration\Application\Command\AssignRole\AssignRoleCommand;
+use App\Administration\Application\Command\AssignRole\AssignRoleHandler;
+use App\Administration\Domain\Event\RoleAttribue;
+use App\Administration\Domain\Exception\RoleDejaAttribueException;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
+use App\Shared\Domain\Clock;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use InvalidArgumentException;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class AssignRoleHandlerTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private InMemoryUserRepository $userRepository;
+    private AssignRoleHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->userRepository = new InMemoryUserRepository();
+
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-08 10:00:00');
+            }
+        };
+
+        $this->handler = new AssignRoleHandler($this->userRepository, $clock);
+    }
+
+    #[Test]
+    public function itAssignsRoleToUser(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $result = ($this->handler)(new AssignRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PARENT->value,
+        ));
+
+        self::assertTrue($result->aLeRole(Role::PROF));
+        self::assertTrue($result->aLeRole(Role::PARENT));
+    }
+
+    #[Test]
+    public function itRecordsRoleAttribueEvent(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+        $user->pullDomainEvents();
+
+        ($this->handler)(new AssignRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PARENT->value,
+        ));
+
+        $savedUser = $this->userRepository->get($user->id);
+        $events = $savedUser->pullDomainEvents();
+
+        self::assertCount(1, $events);
+        self::assertInstanceOf(RoleAttribue::class, $events[0]);
+    }
+
+    #[Test]
+    public function itThrowsWhenRoleAlreadyAssigned(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(RoleDejaAttribueException::class);
+
+        ($this->handler)(new AssignRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PROF->value,
+        ));
+    }
+
+    #[Test]
+    public function itThrowsWhenRoleIsInvalid(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(InvalidArgumentException::class);
+
+        ($this->handler)(new AssignRoleCommand(
+            userId: (string) $user->id,
+            role: 'ROLE_INVALID',
+        ));
+    }
+
+    private function createUser(Role $role): User
+    {
+        return User::creer(
+            email: new Email('user@example.com'),
+            role: $role,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Alpha',
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+        );
+    }
+}
--- a/backend/tests/Unit/Administration/Application/Command/RemoveRoleHandlerTest.php
+++ b/backend/tests/Unit/Administration/Application/Command/RemoveRoleHandlerTest.php
@@ -0,0 +1,126 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Application\Command;
+
+use App\Administration\Application\Command\RemoveRole\RemoveRoleCommand;
+use App\Administration\Application\Command\RemoveRole\RemoveRoleHandler;
+use App\Administration\Domain\Event\RoleRetire;
+use App\Administration\Domain\Exception\DernierRoleNonRetirableException;
+use App\Administration\Domain\Exception\RoleNonAttribueException;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
+use App\Shared\Domain\Clock;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class RemoveRoleHandlerTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private InMemoryUserRepository $userRepository;
+    private RemoveRoleHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->userRepository = new InMemoryUserRepository();
+
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-08 10:00:00');
+            }
+        };
+
+        $this->handler = new RemoveRoleHandler($this->userRepository, $clock);
+    }
+
+    #[Test]
+    public function itRemovesRoleFromUser(): void
+    {
+        $user = $this->createUserWithRoles(Role::PROF, Role::PARENT);
+        $this->userRepository->save($user);
+
+        $result = ($this->handler)(new RemoveRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PARENT->value,
+        ));
+
+        self::assertTrue($result->aLeRole(Role::PROF));
+        self::assertFalse($result->aLeRole(Role::PARENT));
+    }
+
+    #[Test]
+    public function itRecordsRoleRetireEvent(): void
+    {
+        $user = $this->createUserWithRoles(Role::PROF, Role::PARENT);
+        $this->userRepository->save($user);
+        $user->pullDomainEvents();
+
+        ($this->handler)(new RemoveRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PARENT->value,
+        ));
+
+        $savedUser = $this->userRepository->get($user->id);
+        $events = $savedUser->pullDomainEvents();
+
+        self::assertCount(1, $events);
+        self::assertInstanceOf(RoleRetire::class, $events[0]);
+    }
+
+    #[Test]
+    public function itThrowsWhenRoleNotAssigned(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(RoleNonAttribueException::class);
+
+        ($this->handler)(new RemoveRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PARENT->value,
+        ));
+    }
+
+    #[Test]
+    public function itThrowsWhenRemovingLastRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(DernierRoleNonRetirableException::class);
+
+        ($this->handler)(new RemoveRoleCommand(
+            userId: (string) $user->id,
+            role: Role::PROF->value,
+        ));
+    }
+
+    private function createUser(Role $role): User
+    {
+        return User::creer(
+            email: new Email('user@example.com'),
+            role: $role,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Alpha',
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+        );
+    }
+
+    private function createUserWithRoles(Role $role, Role ...$additionalRoles): User
+    {
+        $user = $this->createUser($role);
+        foreach ($additionalRoles as $r) {
+            $user->attribuerRole($r, new DateTimeImmutable());
+        }
+
+        return $user;
+    }
+}
--- a/backend/tests/Unit/Administration/Application/Command/UpdateUserRolesHandlerTest.php
+++ b/backend/tests/Unit/Administration/Application/Command/UpdateUserRolesHandlerTest.php
@@ -0,0 +1,119 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Application\Command;
+
+use App\Administration\Application\Command\UpdateUserRoles\UpdateUserRolesCommand;
+use App\Administration\Application\Command\UpdateUserRoles\UpdateUserRolesHandler;
+use App\Administration\Application\Port\ActiveRoleStore;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
+use App\Shared\Domain\Clock;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use InvalidArgumentException;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class UpdateUserRolesHandlerTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private InMemoryUserRepository $userRepository;
+    private UpdateUserRolesHandler $handler;
+    private ActiveRoleStore $activeRoleStore;
+
+    protected function setUp(): void
+    {
+        $this->userRepository = new InMemoryUserRepository();
+
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-08 10:00:00');
+            }
+        };
+
+        $this->activeRoleStore = $this->createMock(ActiveRoleStore::class);
+
+        $this->handler = new UpdateUserRolesHandler($this->userRepository, $clock, $this->activeRoleStore);
+    }
+
+    #[Test]
+    public function itUpdatesRolesBulk(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $result = ($this->handler)(new UpdateUserRolesCommand(
+            userId: (string) $user->id,
+            roles: [Role::PARENT->value, Role::VIE_SCOLAIRE->value],
+        ));
+
+        self::assertFalse($result->aLeRole(Role::PROF));
+        self::assertTrue($result->aLeRole(Role::PARENT));
+        self::assertTrue($result->aLeRole(Role::VIE_SCOLAIRE));
+    }
+
+    #[Test]
+    public function itKeepsExistingRolesIfInTargetList(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable());
+        $this->userRepository->save($user);
+
+        $result = ($this->handler)(new UpdateUserRolesCommand(
+            userId: (string) $user->id,
+            roles: [Role::PROF->value, Role::PARENT->value, Role::ADMIN->value],
+        ));
+
+        self::assertTrue($result->aLeRole(Role::PROF));
+        self::assertTrue($result->aLeRole(Role::PARENT));
+        self::assertTrue($result->aLeRole(Role::ADMIN));
+        self::assertCount(3, $result->roles);
+    }
+
+    #[Test]
+    public function itThrowsWhenEmptyRoles(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('Au moins un rôle est requis.');
+
+        ($this->handler)(new UpdateUserRolesCommand(
+            userId: (string) $user->id,
+            roles: [],
+        ));
+    }
+
+    #[Test]
+    public function itThrowsWhenInvalidRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $this->userRepository->save($user);
+
+        $this->expectException(InvalidArgumentException::class);
+
+        ($this->handler)(new UpdateUserRolesCommand(
+            userId: (string) $user->id,
+            roles: ['ROLE_INVALID'],
+        ));
+    }
+
+    private function createUser(Role $role): User
+    {
+        return User::creer(
+            email: new Email('user@example.com'),
+            role: $role,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Alpha',
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+        );
+    }
+}
--- a/backend/tests/Unit/Administration/Application/Service/RoleContextTest.php
+++ b/backend/tests/Unit/Administration/Application/Service/RoleContextTest.php
@@ -0,0 +1,139 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Application\Service;
+
+use App\Administration\Application\Port\ActiveRoleStore;
+use App\Administration\Application\Service\RoleContext;
+use App\Administration\Domain\Exception\RoleNonAttribueException;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\StatutCompte;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Domain\Model\User\UserId;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use DomainException;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class RoleContextTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+
+    private InMemoryActiveRoleStore $store;
+    private RoleContext $roleContext;
+
+    protected function setUp(): void
+    {
+        $this->store = new InMemoryActiveRoleStore();
+        $this->roleContext = new RoleContext($this->store);
+    }
+
+    #[Test]
+    public function itReturnsPrimaryRoleWhenNoActiveRoleStored(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        self::assertSame(Role::PROF, $this->roleContext->getActiveRole($user));
+    }
+
+    #[Test]
+    public function itSwitchesToAnotherRole(): void
+    {
+        $user = $this->createActiveUser(Role::PROF);
+        $user->attribuerRole(Role::ADMIN, new DateTimeImmutable());
+
+        $this->roleContext->switchTo($user, Role::ADMIN);
+
+        self::assertSame(Role::ADMIN, $this->roleContext->getActiveRole($user));
+    }
+
+    #[Test]
+    public function itThrowsWhenSwitchingToUnassignedRole(): void
+    {
+        $user = $this->createActiveUser(Role::PROF);
+
+        $this->expectException(RoleNonAttribueException::class);
+
+        $this->roleContext->switchTo($user, Role::ADMIN);
+    }
+
+    #[Test]
+    public function itClearsActiveRole(): void
+    {
+        $user = $this->createActiveUser(Role::PROF);
+        $user->attribuerRole(Role::ADMIN, new DateTimeImmutable());
+
+        $this->roleContext->switchTo($user, Role::ADMIN);
+        $this->roleContext->clear($user);
+
+        self::assertSame(Role::PROF, $this->roleContext->getActiveRole($user));
+    }
+
+    #[Test]
+    public function itThrowsWhenAccountIsNotActive(): void
+    {
+        $user = $this->createActiveUser(Role::PROF);
+        $user->attribuerRole(Role::ADMIN, new DateTimeImmutable());
+        $user->bloquer('Test', new DateTimeImmutable());
+
+        $this->expectException(DomainException::class);
+
+        $this->roleContext->switchTo($user, Role::ADMIN);
+    }
+
+    private function createUser(Role $role): User
+    {
+        return User::creer(
+            email: new Email('user@example.com'),
+            role: $role,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Test',
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+        );
+    }
+
+    private function createActiveUser(Role $role): User
+    {
+        return User::reconstitute(
+            id: UserId::generate(),
+            email: new Email('active@example.com'),
+            roles: [$role],
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: 'École Test',
+            statut: StatutCompte::ACTIF,
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+            hashedPassword: 'hashed',
+            activatedAt: new DateTimeImmutable('2026-01-16 10:00:00'),
+            consentementParental: null,
+        );
+    }
+}
+
+/**
+ * @internal
+ */
+final class InMemoryActiveRoleStore implements ActiveRoleStore
+{
+    /** @var array<string, Role> */
+    private array $roles = [];
+
+    public function store(User $user, Role $role): void
+    {
+        $this->roles[(string) $user->id] = $role;
+    }
+
+    public function get(User $user): ?Role
+    {
+        return $this->roles[(string) $user->id] ?? null;
+    }
+
+    public function clear(User $user): void
+    {
+        unset($this->roles[(string) $user->id]);
+    }
+}
--- a/backend/tests/Unit/Administration/Domain/Model/User/UserInvitationTest.php
+++ b/backend/tests/Unit/Administration/Domain/Model/User/UserInvitationTest.php
@@ -176,7 +176,7 @@ final class UserInvitationTest extends TestCase
        $user = User::reconstitute(
            id: UserId::generate(),
            email: new Email('minor@example.com'),
-            role: Role::ELEVE,
+            roles: [Role::ELEVE],
            tenantId: TenantId::fromString(self::TENANT_ID),
            schoolName: self::SCHOOL_NAME,
            statut: StatutCompte::CONSENTEMENT_REQUIS,
--- a/backend/tests/Unit/Administration/Domain/Model/User/UserRoleTest.php
+++ b/backend/tests/Unit/Administration/Domain/Model/User/UserRoleTest.php
@@ -0,0 +1,156 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Domain\Model\User;
+
+use App\Administration\Domain\Event\RoleAttribue;
+use App\Administration\Domain\Event\RoleRetire;
+use App\Administration\Domain\Exception\DernierRoleNonRetirableException;
+use App\Administration\Domain\Exception\RoleDejaAttribueException;
+use App\Administration\Domain\Exception\RoleNonAttribueException;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\User;
+use App\Shared\Domain\Tenant\TenantId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class UserRoleTest extends TestCase
+{
+    private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
+    private const string SCHOOL_NAME = 'École Alpha';
+
+    #[Test]
+    public function userIsCreatedWithSingleRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        self::assertSame([Role::PROF], $user->roles);
+    }
+
+    #[Test]
+    public function attribuerRoleAddsRoleToUser(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->pullDomainEvents();
+
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable('2026-02-08 10:00:00'));
+
+        self::assertContains(Role::PROF, $user->roles);
+        self::assertContains(Role::PARENT, $user->roles);
+        self::assertCount(2, $user->roles);
+    }
+
+    #[Test]
+    public function attribuerRoleRecordsRoleAttribueEvent(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->pullDomainEvents();
+
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable('2026-02-08 10:00:00'));
+
+        $events = $user->pullDomainEvents();
+        self::assertCount(1, $events);
+        self::assertInstanceOf(RoleAttribue::class, $events[0]);
+    }
+
+    #[Test]
+    public function attribuerRoleThrowsWhenRoleAlreadyAssigned(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        $this->expectException(RoleDejaAttribueException::class);
+
+        $user->attribuerRole(Role::PROF, new DateTimeImmutable());
+    }
+
+    #[Test]
+    public function retirerRoleRemovesRoleFromUser(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable());
+        $user->pullDomainEvents();
+
+        $user->retirerRole(Role::PARENT, new DateTimeImmutable('2026-02-08 10:00:00'));
+
+        self::assertSame([Role::PROF], $user->roles);
+    }
+
+    #[Test]
+    public function retirerRoleRecordsRoleRetireEvent(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable());
+        $user->pullDomainEvents();
+
+        $user->retirerRole(Role::PARENT, new DateTimeImmutable('2026-02-08 10:00:00'));
+
+        $events = $user->pullDomainEvents();
+        self::assertCount(1, $events);
+        self::assertInstanceOf(RoleRetire::class, $events[0]);
+    }
+
+    #[Test]
+    public function retirerRoleThrowsWhenRoleNotAssigned(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        $this->expectException(RoleNonAttribueException::class);
+
+        $user->retirerRole(Role::PARENT, new DateTimeImmutable());
+    }
+
+    #[Test]
+    public function retirerRoleThrowsWhenLastRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        $this->expectException(DernierRoleNonRetirableException::class);
+
+        $user->retirerRole(Role::PROF, new DateTimeImmutable());
+    }
+
+    #[Test]
+    public function userCanHaveMultipleRoles(): void
+    {
+        $user = $this->createUser(Role::PROF);
+        $user->attribuerRole(Role::PARENT, new DateTimeImmutable());
+        $user->attribuerRole(Role::VIE_SCOLAIRE, new DateTimeImmutable());
+
+        self::assertCount(3, $user->roles);
+        self::assertContains(Role::PROF, $user->roles);
+        self::assertContains(Role::PARENT, $user->roles);
+        self::assertContains(Role::VIE_SCOLAIRE, $user->roles);
+    }
+
+    #[Test]
+    public function aLeRoleReturnsTrueForAssignedRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        self::assertTrue($user->aLeRole(Role::PROF));
+        self::assertFalse($user->aLeRole(Role::PARENT));
+    }
+
+    #[Test]
+    public function rolePrincipalReturnsFirstRole(): void
+    {
+        $user = $this->createUser(Role::PROF);
+
+        self::assertSame(Role::PROF, $user->rolePrincipal());
+    }
+
+    private function createUser(Role $role = Role::PARENT): User
+    {
+        return User::creer(
+            email: new Email('user@example.com'),
+            role: $role,
+            tenantId: TenantId::fromString(self::TENANT_ID),
+            schoolName: self::SCHOOL_NAME,
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable('2026-01-15 10:00:00'),
+        );
+    }
+}
--- a/backend/tests/Unit/Administration/Infrastructure/Api/Controller/LogoutControllerTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Api/Controller/LogoutControllerTest.php
@@ -200,10 +200,13 @@ final class LogoutControllerTest extends TestCase

        // THEN: Cookies are cleared (expired)
        $cookies = $response->headers->getCookies();
-        $this->assertCount(2, $cookies); // /api and /api/token (legacy)
+        $this->assertCount(3, $cookies); // refresh_token /api, /api/token (legacy), classeo_sid
+
+        $cookieNames = array_map(static fn ($c) => $c->getName(), $cookies);
+        $this->assertContains('refresh_token', $cookieNames);
+        $this->assertContains('classeo_sid', $cookieNames);

        foreach ($cookies as $cookie) {
-            $this->assertSame('refresh_token', $cookie->getName());
            $this->assertSame('', $cookie->getValue());
            $this->assertTrue($cookie->isCleared()); // Expiry in the past
        }
--- a/backend/tests/Unit/Administration/Infrastructure/Console/CreateTestActivationTokenCommandTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Console/CreateTestActivationTokenCommandTest.php
@@ -185,7 +185,7 @@ final class CreateTestActivationTokenCommandTest extends TestCase
        return User::reconstitute(
            id: UserId::generate(),
            email: new Email($email),
-            role: Role::PARENT,
+            roles: [Role::PARENT],
            tenantId: TenantId::fromString(self::TENANT_ID),
            schoolName: 'École Test',
            statut: StatutCompte::ACTIF,
--- a/backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
@@ -226,7 +226,7 @@ final class DatabaseUserProviderTest extends TestCase
        return User::reconstitute(
            id: UserId::generate(),
            email: new Email('user@example.com'),
-            role: Role::PARENT,
+            roles: [Role::PARENT],
            tenantId: $tenantId,
            schoolName: 'École Test',
            statut: $statut,
--- a/backend/tests/Unit/Administration/Infrastructure/Security/LoginSuccessHandlerTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/LoginSuccessHandlerTest.php
@@ -133,12 +133,12 @@ final class LoginSuccessHandlerTest extends TestCase
        // WHEN: Handler processes the event
        $this->handler->onAuthenticationSuccess($event);

-        // THEN: Refresh token cookie is set
+        // THEN: Refresh token cookie and session ID cookie are set
        $cookies = $response->headers->getCookies();
-        $this->assertCount(1, $cookies);
-        $this->assertSame('refresh_token', $cookies[0]->getName());
-        $this->assertTrue($cookies[0]->isHttpOnly());
-        $this->assertSame('/api', $cookies[0]->getPath());
+        $this->assertCount(2, $cookies);
+        $cookieNames = array_map(static fn ($c) => $c->getName(), $cookies);
+        $this->assertContains('refresh_token', $cookieNames);
+        $this->assertContains('classeo_sid', $cookieNames);

        // THEN: Refresh token is saved in repository
        $this->assertTrue(
@@ -304,10 +304,12 @@ final class LoginSuccessHandlerTest extends TestCase
        // WHEN: Handler processes the event
        $this->handler->onAuthenticationSuccess($event);

-        // THEN: Cookie is NOT marked as secure (HTTP)
+        // THEN: Cookies are NOT marked as secure (HTTP)
        $cookies = $response->headers->getCookies();
-        $this->assertCount(1, $cookies);
-        $this->assertFalse($cookies[0]->isSecure());
+        $this->assertCount(2, $cookies);
+        foreach ($cookies as $cookie) {
+            $this->assertFalse($cookie->isSecure());
+        }
    }

    private function createRequest(): Request
--- a/backend/tests/Unit/Administration/Infrastructure/Security/SecurityUserTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/SecurityUserTest.php
@@ -84,7 +84,7 @@ final class SecurityUserTest extends TestCase
        return User::reconstitute(
            id: UserId::generate(),
            email: new Email('user@example.com'),
-            role: $role,
+            roles: [$role],
            tenantId: TenantId::fromString(self::TENANT_ID),
            schoolName: 'École Test',
            statut: StatutCompte::ACTIF,
--- a/backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php
@@ -121,6 +121,48 @@ final class UserVoterTest extends TestCase
        self::assertSame(UserVoter::ACCESS_DENIED, $result);
    }

+    #[Test]
+    public function itGrantsManageRolesToAdmin(): void
+    {
+        $result = $this->voteWithRole('ROLE_ADMIN', UserVoter::MANAGE_ROLES);
+        self::assertSame(UserVoter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itGrantsManageRolesToSuperAdmin(): void
+    {
+        $result = $this->voteWithRole('ROLE_SUPER_ADMIN', UserVoter::MANAGE_ROLES);
+        self::assertSame(UserVoter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itDeniesManageRolesToProf(): void
+    {
+        $result = $this->voteWithRole('ROLE_PROF', UserVoter::MANAGE_ROLES);
+        self::assertSame(UserVoter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itDeniesManageRolesToSecretariat(): void
+    {
+        $result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::MANAGE_ROLES);
+        self::assertSame(UserVoter::ACCESS_DENIED, $result);
+    }
+
+    #[Test]
+    public function itGrantsResendInvitationToAdmin(): void
+    {
+        $result = $this->voteWithRole('ROLE_ADMIN', UserVoter::RESEND_INVITATION);
+        self::assertSame(UserVoter::ACCESS_GRANTED, $result);
+    }
+
+    #[Test]
+    public function itDeniesResendInvitationToProf(): void
+    {
+        $result = $this->voteWithRole('ROLE_PROF', UserVoter::RESEND_INVITATION);
+        self::assertSame(UserVoter::ACCESS_DENIED, $result);
+    }
+
    private function voteWithRole(string $role, string $attribute): int
    {
        $user = $this->createMock(UserInterface::class);