Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Attribution de rôles multiples par utilisateur

Browse Source 
Les utilisateurs Classeo étaient limités à un seul rôle, alors que
dans la réalité scolaire un directeur peut aussi être enseignant,
ou un parent peut avoir un rôle vie scolaire. Cette limitation
obligeait à créer des comptes distincts par fonction.

Le modèle User supporte désormais plusieurs rôles simultanés avec
basculement via le header. L'admin peut attribuer/retirer des rôles
depuis l'interface de gestion, avec des garde-fous : pas d'auto-
destitution, pas d'escalade de privilèges (seul SUPER_ADMIN peut
attribuer SUPER_ADMIN), vérification du statut actif pour le
switch de rôle, et TTL explicite sur le cache de rôle actif.
This commit is contained in:
Mathias STRASSER
2026-02-10 07:57:43 +01:00
parent 9ccad77bf0
commit e930c505df
93 changed files with 2527 additions and 165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
backend/tests/Unit/Administration/Infrastructure/Api/Controller/LogoutControllerTest.php
View File

@@ -200,10 +200,13 @@ final class LogoutControllerTest extends TestCase
// THEN: Cookies are cleared (expired)
$cookies = $response->headers->getCookies();
$this->assertCount(2, $cookies); // /api and /api/token (legacy)
$this->assertCount(3, $cookies); // refresh_token /api, /api/token (legacy), classeo_sid
$cookieNames = array_map(static fn ($c) => $c->getName(), $cookies);
$this->assertContains('refresh_token', $cookieNames);
$this->assertContains('classeo_sid', $cookieNames);
foreach ($cookies as $cookie) {
$this->assertSame('refresh_token', $cookie->getName());
$this->assertSame('', $cookie->getValue());
$this->assertTrue($cookie->isCleared()); // Expiry in the past
}

2
backend/tests/Unit/Administration/Infrastructure/Console/CreateTestActivationTokenCommandTest.php
View File

@@ -185,7 +185,7 @@ final class CreateTestActivationTokenCommandTest extends TestCase
return User::reconstitute(
id: UserId::generate(),
email: new Email($email),
role: Role::PARENT,
roles: [Role::PARENT],
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Test',
statut: StatutCompte::ACTIF,

2
backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
View File

@@ -226,7 +226,7 @@ final class DatabaseUserProviderTest extends TestCase
return User::reconstitute(
id: UserId::generate(),
email: new Email('user@example.com'),
role: Role::PARENT,
roles: [Role::PARENT],
tenantId: $tenantId,
schoolName: 'École Test',
statut: $statut,

18
backend/tests/Unit/Administration/Infrastructure/Security/LoginSuccessHandlerTest.php
View File

@@ -133,12 +133,12 @@ final class LoginSuccessHandlerTest extends TestCase
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: Refresh token cookie is set
// THEN: Refresh token cookie and session ID cookie are set
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$this->assertSame('refresh_token', $cookies[0]->getName());
$this->assertTrue($cookies[0]->isHttpOnly());
$this->assertSame('/api', $cookies[0]->getPath());
$this->assertCount(2, $cookies);
$cookieNames = array_map(static fn ($c) => $c->getName(), $cookies);
$this->assertContains('refresh_token', $cookieNames);
$this->assertContains('classeo_sid', $cookieNames);
// THEN: Refresh token is saved in repository
$this->assertTrue(
@@ -304,10 +304,12 @@ final class LoginSuccessHandlerTest extends TestCase
// WHEN: Handler processes the event
$this->handler->onAuthenticationSuccess($event);
// THEN: Cookie is NOT marked as secure (HTTP)
// THEN: Cookies are NOT marked as secure (HTTP)
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$this->assertFalse($cookies[0]->isSecure());
$this->assertCount(2, $cookies);
foreach ($cookies as $cookie) {
$this->assertFalse($cookie->isSecure());
}
}
private function createRequest(): Request

2
backend/tests/Unit/Administration/Infrastructure/Security/SecurityUserTest.php
View File

@@ -84,7 +84,7 @@ final class SecurityUserTest extends TestCase
return User::reconstitute(
id: UserId::generate(),
email: new Email('user@example.com'),
role: $role,
roles: [$role],
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Test',
statut: StatutCompte::ACTIF,

42
backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php
View File

@@ -121,6 +121,48 @@ final class UserVoterTest extends TestCase
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsManageRolesToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::MANAGE_ROLES);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsManageRolesToSuperAdmin(): void
{
$result = $this->voteWithRole('ROLE_SUPER_ADMIN', UserVoter::MANAGE_ROLES);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesManageRolesToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::MANAGE_ROLES);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itDeniesManageRolesToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::MANAGE_ROLES);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsResendInvitationToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::RESEND_INVITATION);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesResendInvitationToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::RESEND_INVITATION);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
private function voteWithRole(string $role, string $attribute): int
{
$user = $this->createMock(UserInterface::class);