🔒️ deny access for standard user

jeremyriverain · Aug 25, 2024 · 8e19bee · 8e19bee
1 parent 7c0506d
commit 8e19bee
Show file tree

Hide file tree

Showing 12 changed files with 57 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -36,11 +36,12 @@ Accédez à l'application en tapant l'URL: [http://localhost:4444](http://localh
 
 3 utilisateurs sont pré-configurés:
 
-| Rôle             | Email                   |
-| ---------------- | ----------------------- |
-| ROLE_USER        | user@fixture.com        |
-| ROLE_ADMIN       | admin@fixture.com       |
-| ROLE_SUPER_ADMIN | super-admin@fixture.com |
+| Rôle                    | Email                   |
+| ----------------------- | ----------------------- |
+| ROLE_USER               | user@fixture.com        |
+| ROLE_CONTRIBUTOR        | contributor@fixture.com |
+| ROLE_ADMIN              | admin@fixture.com       |
+| ROLE_SUPER_ADMIN        | super-admin@fixture.com |
 
 Lorsque vous saisissez le mail sur le portail d'authentification, un email est envoyé contenant un lien pour se connecter sans mot de passe. Pour récupérer ce lien, vous pouvez ouvrir [http://localhost:1080](http://localhost:1080).
 

diff --git a/e2e/cypress/integration/admin/Auth.cy.js b/e2e/cypress/integration/admin/Auth.cy.js
@@ -17,12 +17,17 @@ context("Auth", () => {
     cy.url().should("not.match", /\/login/);
   });
 
+  it("user cannot access the dashboard", () => {
+    cy.realLogin("user@fixture.com");
+    cy.contains("Access Denied.");
+  });
+
   it("updates profile", () => {
     const emailSelector = "input[name=User\\[email\\]]";
     const newEmail = "cy-test@fixture.com";
     cy.realLogin();
     cy.visit("/admin");
-    cy.get("aside.content-top").contains("user@fixture.com").click();
+    cy.get("aside.content-top").contains("contributor@fixture.com").click();
     cy.get("a").contains("Mon profil").click({ force: true });
     cy.get("h1").contains("Modifier Utilisateur");
 

diff --git a/e2e/cypress/integration/admin/Department.cy.js b/e2e/cypress/integration/admin/Department.cy.js
@@ -5,7 +5,7 @@ context("Department", () => {
     cy.task("loadDb");
   });
 
-  it("normal user cannot access Department section", () => {
+  it("admins cannot access Department section", () => {
     cy.realLogin();
     cy.get("#main-menu").contains("Départements").should("not.exist");
   });

diff --git a/e2e/cypress/integration/admin/User.cy.js b/e2e/cypress/integration/admin/User.cy.js
@@ -5,7 +5,7 @@ context("User", () => {
     cy.task("loadDb");
   });
 
-  it("normal user cannot access User section", () => {
+  it("admins cannot access User section", () => {
     cy.realLogin();
     cy.get("#main-menu").contains("Utilisateurs").should("not.exist");
   });
@@ -19,25 +19,26 @@ context("User Super Admin", () => {
   });
 
   it("super admin can access User section", () => {
-    cy.get("table tbody tr").should("have.length", 3);
+    cy.get("table tbody tr").should("have.length", 4);
     cy.get("table tbody tr").last().should("contain.text", "user@fixture.com");
   });
 
   it("super admin can delete user", () => {
-    cy.get("table tbody tr").should("have.length", 3);
+    cy.get("table tbody tr").should("have.length", 4);
     cy.get("table tbody tr").first().deleteRow();
-    cy.get("table tbody tr").should("have.length", 2);
+    cy.get("table tbody tr").should("have.length", 3);
   });
 
-  it("super admin can add user", () => {
+  it("super admin can add contributor", () => {
     cy.contains("Créer Utilisateur").click();
     cy.get("h1").should("contain.text", 'Créer "Utilisateur"');
     cy.get("button.action-save").contains("Créer").click();
     cy.get("input[name=User\\[email\\]]").should("have.class", "is-invalid");
 
     cy.get("input[name=User\\[email\\]]").type("test@fixture.com");
+    cy.contains("ROLE_CONTRIBUTOR").click();
     cy.get("button.action-save").contains("Créer").click();
-    cy.get("table tbody tr").should("have.length", 4);
+    cy.get("table tbody tr").should("have.length", 5);
     cy.get("table tbody tr").should("contain.text", "test@fixture.com");
 
     cy.logout();

diff --git a/e2e/cypress/support/commands.js b/e2e/cypress/support/commands.js
@@ -37,9 +37,9 @@ Cypress.Commands.add(
   }
 );
 
-Cypress.Commands.add("realLogin", (email = "user@fixture.com") => {
+Cypress.Commands.add("realLogin", (email = "contributor@fixture.com") => {
   cy.task("fetchEmails").as("beforeEmails");
-  cy.visit("/admin/login");
+  cy.visit("/admin/login", { failOnStatusCode: false });
   cy.get("input[name=email]").clear().type(email);
   cy.contains("Envoyer lien").click();
   // cy.wait(100)
@@ -53,14 +53,14 @@ Cypress.Commands.add("realLogin", (email = "user@fixture.com") => {
         const loginUrl = email
           .match(/Se connecter: (.*)/g)[0]
           .replace("Se connecter: ", "");
-        cy.visit(loginUrl);
+        cy.visit(loginUrl, { failOnStatusCode: false });
       });
     });
   });
 });
 
 Cypress.Commands.add("logout", () => {
-  cy.request("/admin/logout");
+  cy.request({ url: "/admin/logout", failOnStatusCode: false });
 });
 
 const originalVisit = cy.visit;

diff --git a/symfony/config/packages/security.yaml b/symfony/config/packages/security.yaml
@@ -40,11 +40,12 @@ security:
   # Note: Only the *first* access control that matches will be used
   access_control:
     - { path: ^/admin/login, roles: PUBLIC_ACCESS }
-    - { path: ^/admin, roles: ROLE_USER }
+    - { path: ^/admin, roles: ROLE_CONTRIBUTOR }
 
   access_decision_manager:
     strategy: unanimous
 
   role_hierarchy:
-    ROLE_ADMIN: ROLE_USER
+    ROLE_CONTRIBUTOR: ROLE_USER
+    ROLE_ADMIN: ROLE_CONTRIBUTOR
     ROLE_SUPER_ADMIN: ROLE_ADMIN
diff --git a/symfony/src/Controller/UserCrudController.php b/symfony/src/Controller/UserCrudController.php
@@ -8,7 +8,9 @@
 use EasyCorp\Bundle\EasyAdminBundle\Config\Actions;
 use EasyCorp\Bundle\EasyAdminBundle\Config\Crud;
 use EasyCorp\Bundle\EasyAdminBundle\Controller\AbstractCrudController;
+use EasyCorp\Bundle\EasyAdminBundle\Field\ChoiceField;
 use EasyCorp\Bundle\EasyAdminBundle\Field\DateTimeField;
+use EasyCorp\Bundle\EasyAdminBundle\Field\Field;
 use EasyCorp\Bundle\EasyAdminBundle\Field\TextField;
 
 class UserCrudController extends AbstractCrudController
@@ -32,6 +34,16 @@ public function configureFields(string $pageName): iterable
     {
         return [
             TextField::new('email'),
+            ChoiceField::new('roles')->allowMultipleChoices(true)->setChoices([
+                Roles::USER->value => Roles::USER->value,
+                Roles::CONTRIBUTOR->value => Roles::CONTRIBUTOR->value,
+                Roles::ADMIN->value => Roles::ADMIN->value,
+                Roles::SUPER_ADMIN->value => Roles::SUPER_ADMIN->value,
+            ])->renderExpanded(true)->renderAsBadges([
+                Roles::CONTRIBUTOR->value => 'primary',
+                Roles::ADMIN->value => 'warning',
+                Roles::SUPER_ADMIN->value => 'danger',
+            ]),
             DateTimeField::new('lastAuthenticatedAt', 'Last_connection')->hideOnForm(),
         ];
     }

diff --git a/symfony/src/Controller/Utils/Roles.php b/symfony/src/Controller/Utils/Roles.php
@@ -5,5 +5,7 @@
 enum Roles: string
 {
     case ADMIN = 'ROLE_ADMIN';
+    case CONTRIBUTOR = 'ROLE_CONTRIBUTOR';
     case SUPER_ADMIN = 'ROLE_SUPER_ADMIN';
+    case USER = 'ROLE_USER';
 }
diff --git a/symfony/src/DataFixtures/UserFixtures.php b/symfony/src/DataFixtures/UserFixtures.php
@@ -20,9 +20,13 @@ public function load(ObjectManager $manager): void
         $admin->setRoles([Roles::ADMIN->value]);
         $manager->persist($admin);
 
-        $contributor = $this->makeUser(('user@fixture.com'));
+        $contributor = $this->makeUser(('contributor@fixture.com'));
+        $contributor->setRoles([Roles::CONTRIBUTOR->value]);
         $manager->persist($contributor);
 
+        $user = $this->makeUser(('user@fixture.com'));
+        $manager->persist($user);
+
         $manager->flush();
     }
 

diff --git a/symfony/src/Entity/User.php b/symfony/src/Entity/User.php
@@ -80,6 +80,7 @@ public function getRoles(): array
         $roles = $this->roles;
         // guarantee every user at least has ROLE_USER
         $roles[] = 'ROLE_USER';
+        sort($roles);
 
         return array_unique($roles);
     }

diff --git a/symfony/translations/messages.en.yaml b/symfony/translations/messages.en.yaml
@@ -32,6 +32,11 @@ Pictures: Pictures
 Position: Position
 Rock: Rock
 Rocks: Rocks
+Roles: Roles
+ROLE_ADMIN: ROLE_ADMIN
+ROLE_CONTRIBUTOR: ROLE_CONTRIBUTOR
+ROLE_USER: ROLE_USER
+ROLE_SUPER_ADMIN: ROLE_SUPER_ADMIN
 Urban_boulder: Urban boulder
 User: User
 Users: Users
diff --git a/symfony/translations/messages.fr.yaml b/symfony/translations/messages.fr.yaml
@@ -32,6 +32,11 @@ Pictures: Photos
 Position: Position
 Rock: Rocher
 Rocks: Rochers
+Roles: Rôles
+ROLE_ADMIN: ROLE_ADMIN
+ROLE_CONTRIBUTOR: ROLE_CONTRIBUTOR
+ROLE_USER: ROLE_USER
+ROLE_SUPER_ADMIN: ROLE_SUPER_ADMIN
 Urban_boulder: Bloc urbain
 User: Utilisateur
 Users: Utilisateurs