admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce sub-account permissions on events and tickets routes

Browse Source 
- SubAccountPermissionSubscriber: checks events/tickets permissions for sub-accounts
- Blocks access with redirect + flash error if permission missing
- Hide events/subaccounts/payouts tabs for sub-accounts without permission
- 5 tests: non-sub-account, blocked events, allowed events, blocked tickets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-03-22 22:05:16 +01:00
parent 6db0566f69
commit 94ebe09181
4 changed files with 252 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TASK_CHECKUP.md
View File

@@ -28,7 +28,7 @@
- [x] Admin : liste de toutes les commandes avec filtres (recherche, statut, KPIs)
- [x] Admin : pouvoir suspendre/réactiver un organisateur (badge, bouton toggle, redirect si suspendu, audit log)
- [x] Admin : pouvoir modifier l'offre/commission d'un orga existant
- [ ] Vérifier que les permissions des sous-comptes sont respectées (scanner, events, tickets)
- [x] Vérifier que les permissions des sous-comptes sont respectées (scanner, events, tickets)
- [x] Admin : logs des actions importantes (audit trail: commande, paiement, annulation, remboursement)
### UX & Pages

88
src/EventSubscriber/SubAccountPermissionSubscriber.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
namespace App\EventSubscriber;
use App\Entity\User;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
class SubAccountPermissionSubscriber implements EventSubscriberInterface
{
private const EVENTS_ROUTES = [
'app_account_create_event',
'app_account_edit_event',
'app_account_delete_event',
'app_account_toggle_event_online',
'app_account_toggle_event_secret',
'app_account_event_add_category',
'app_account_event_edit_category',
'app_account_event_delete_category',
'app_account_event_reorder_categories',
'app_account_event_add_billet',
'app_account_event_edit_billet',
'app_account_event_delete_billet',
'app_account_event_reorder_billets',
'app_account_event_billet_preview',
'app_account_event_save_billet_design',
'app_account_event_create_invitation',
'app_account_event_resend_invitation',
'app_account_event_cancel_order',
'app_account_event_refund_order',
];
private const TICKETS_ROUTES = [
'app_account_event_add_billet',
'app_account_event_edit_billet',
'app_account_event_delete_billet',
'app_account_event_reorder_billets',
'app_account_event_billet_preview',
'app_account_event_save_billet_design',
];
public function __construct(
private Security $security,
private UrlGeneratorInterface $urlGenerator,
) {
}
public static function getSubscribedEvents(): array
{
return [
KernelEvents::REQUEST => ['onKernelRequest', 7],
];
}
public function onKernelRequest(RequestEvent $event): void
{
if (!$event->isMainRequest()) {
return;
}
$user = $this->security->getUser();
if (!$user instanceof User || !$user->getParentOrganizer()) {
return;
}
$route = $event->getRequest()->attributes->getString('_route');
if (\in_array($route, self::TICKETS_ROUTES, true) && !$user->hasPermission('tickets')) {
$this->deny($event);
return;
}
if (\in_array($route, self::EVENTS_ROUTES, true) && !$user->hasPermission('events')) {
$this->deny($event);
}
}
private function deny(RequestEvent $event): void
{
$event->getRequest()->getSession()->getFlashBag()->add('error', 'Vous n\'avez pas la permission d\'effectuer cette action.');
$event->setResponse(new RedirectResponse($this->urlGenerator->generate('app_account')));
}
}

11
templates/account/index.html.twig
View File

@@ -78,10 +78,15 @@
{% endif %}
<div class="flex flex-wrap overflow-x-auto mb-8">
{% set isSubAccount = app.user.parentOrganizer is not null %}
{% if isOrganizer %}
<a href="{{ path('app_account', {tab: 'events'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'events' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Evenements / Brocantes</a>
<a href="{{ path('app_account', {tab: 'subaccounts'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'subaccounts' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Sous-comptes</a>
<a href="{{ path('app_account', {tab: 'payouts'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'payouts' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Virements</a>
{% if not isSubAccount or app.user.hasPermission('events') %}
<a href="{{ path('app_account', {tab: 'events'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'events' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Evenements / Brocantes</a>
{% endif %}
{% if not isSubAccount %}
<a href="{{ path('app_account', {tab: 'subaccounts'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'subaccounts' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Sous-comptes</a>
<a href="{{ path('app_account', {tab: 'payouts'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'payouts' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Virements</a>
{% endif %}
{% endif %}
<a href="{{ path('app_account', {tab: 'tickets'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'tickets' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Billets</a>
<a href="{{ path('app_account', {tab: 'purchases'}) }}" class="flex-1 min-w-[100px] text-center py-3 border-3 border-gray-900 border-r-0 {{ tab == 'purchases' ? 'bg-yellow-400' : 'bg-white' }} font-black uppercase text-xs tracking-widest transition-all">Achats</a>

155
tests/EventSubscriber/SubAccountPermissionSubscriberTest.php Normal file
View File

@@ -0,0 +1,155 @@
<?php
namespace App\Tests\EventSubscriber;
use App\Entity\User;
use App\EventSubscriber\SubAccountPermissionSubscriber;
use PHPUnit\Framework\TestCase;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
class SubAccountPermissionSubscriberTest extends TestCase
{
public function testSubscribedEvents(): void
{
self::assertArrayHasKey(KernelEvents::REQUEST, SubAccountPermissionSubscriber::getSubscribedEvents());
}
public function testIgnoresNonSubAccount(): void
{
$user = new User();
$user->setEmail('orga@test.fr');
$user->setFirstName('O');
$user->setLastName('T');
$user->setPassword('h');
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($user);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testBlocksSubAccountWithoutEventsPermission(): void
{
$parent = new User();
$parent->setEmail('parent@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['scanner']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$urlGenerator->method('generate')->willReturn('/mon-compte');
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNotNull($event->getResponse());
self::assertSame(302, $event->getResponse()->getStatusCode());
}
public function testAllowsSubAccountWithEventsPermission(): void
{
$parent = new User();
$parent->setEmail('parent2@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub2@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['events', 'scanner']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testBlocksSubAccountWithoutTicketsPermission(): void
{
$parent = new User();
$parent->setEmail('parent3@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub3@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['events']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$urlGenerator->method('generate')->willReturn('/mon-compte');
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/1/billet/ajouter', 'GET');
$request->attributes->set('_route', 'app_account_event_add_billet');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNotNull($event->getResponse());
}
}