88053611a4
src/Controller/DevisPdfController.php (nouveau):
- Route /devis/pdf/{id}/{type} avec type = unsigned|signed|audit
- Requiert ROLE_USER minimum
- checkAccess(): les ROLE_EMPLOYE ont toujours acces,
pour les clients un TODO est prepare pour verifier que le
client connecte est bien lie au devis (a implementer quand
la relation Customer sera ajoutee sur Devis)
- Sert le fichier via BinaryFileResponse en inline (affichage
dans le navigateur) avec nom de telechargement propre
(ex: signed-04-2026-00001.pdf)
config/packages/vich_uploader.yaml:
- Mapping devis_pdf: stockage deplace de public/uploads/devis
vers var/uploads/devis (hors du dossier public, inaccessible
directement par URL)
- uri_prefix change en /devis/pdf (pointe vers le controller)
config/packages/security.yaml:
- Suppression de la regle access_control sur /uploads/devis
(remplacee par le controller avec verification plus fine)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
72 lines
2.6 KiB
YAML
72 lines
2.6 KiB
YAML
security:
|
|
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
|
|
password_hashers:
|
|
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
|
|
|
|
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
|
|
providers:
|
|
app_user_provider:
|
|
entity:
|
|
class: App\Entity\User
|
|
property: email
|
|
|
|
firewalls:
|
|
dev:
|
|
pattern: ^/(_profiler|_wdt|assets|build)/
|
|
security: false
|
|
webhooks:
|
|
pattern: ^/webhooks/
|
|
security: false
|
|
main:
|
|
lazy: true
|
|
provider: app_user_provider
|
|
entry_point: form_login
|
|
custom_authenticators:
|
|
- App\Security\KeycloakAuthenticator
|
|
form_login:
|
|
login_path: app_home
|
|
check_path: app_home
|
|
username_parameter: _username
|
|
password_parameter: _password
|
|
success_handler: App\Security\LoginSuccessHandler
|
|
logout:
|
|
path: app_logout
|
|
two_factor:
|
|
auth_form_path: 2fa_login
|
|
check_path: 2fa_login_check
|
|
default_target_path: app_home
|
|
prepare_on_login: true
|
|
prepare_on_access_denied: true
|
|
enable_csrf: true
|
|
|
|
role_hierarchy:
|
|
ROLE_CUSTOMER: ROLE_USER
|
|
ROLE_REVENDEUR: ROLE_CUSTOMER
|
|
ROLE_MEMBER: ROLE_USER
|
|
ROLE_EMPLOYE: ROLE_MEMBER
|
|
ROLE_ROOT: [ROLE_EMPLOYE, ROLE_REVENDEUR]
|
|
|
|
# Note: Only the *first* matching rule is applied
|
|
access_control:
|
|
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
|
|
- { path: ^/admin, roles: ROLE_EMPLOYE }
|
|
- { path: ^/espace-client, roles: ROLE_CUSTOMER }
|
|
- { path: ^/espace-prestataire, roles: ROLE_REVENDEUR }
|
|
|
|
when@test:
|
|
security:
|
|
providers:
|
|
test_user_provider:
|
|
id: App\Tests\TestUserProvider
|
|
firewalls:
|
|
main:
|
|
provider: test_user_provider
|
|
password_hashers:
|
|
# Password hashers are resource-intensive by design to ensure security.
|
|
# In tests, it's safe to reduce their cost to improve performance.
|
|
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
|
|
algorithm: auto
|
|
cost: 4 # Lowest possible value for bcrypt
|
|
time_cost: 3 # Lowest possible value for argon
|
|
memory_cost: 10 # Lowest possible value for argon
|