admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce sub-account permissions on events and tickets routes

Browse Source 
- SubAccountPermissionSubscriber: checks events/tickets permissions for sub-accounts
- Blocks access with redirect + flash error if permission missing
- Hide events/subaccounts/payouts tabs for sub-accounts without permission
- 5 tests: non-sub-account, blocked events, allowed events, blocked tickets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-03-22 22:05:16 +01:00
parent 6db0566f69
commit 94ebe09181
4 changed files with 252 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
tests/EventSubscriber/SubAccountPermissionSubscriberTest.php Normal file
View File

@@ -0,0 +1,155 @@
<?php
namespace App\Tests\EventSubscriber;
use App\Entity\User;
use App\EventSubscriber\SubAccountPermissionSubscriber;
use PHPUnit\Framework\TestCase;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\Flash\FlashBag;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
class SubAccountPermissionSubscriberTest extends TestCase
{
public function testSubscribedEvents(): void
{
self::assertArrayHasKey(KernelEvents::REQUEST, SubAccountPermissionSubscriber::getSubscribedEvents());
}
public function testIgnoresNonSubAccount(): void
{
$user = new User();
$user->setEmail('orga@test.fr');
$user->setFirstName('O');
$user->setLastName('T');
$user->setPassword('h');
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($user);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testBlocksSubAccountWithoutEventsPermission(): void
{
$parent = new User();
$parent->setEmail('parent@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['scanner']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$urlGenerator->method('generate')->willReturn('/mon-compte');
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNotNull($event->getResponse());
self::assertSame(302, $event->getResponse()->getStatusCode());
}
public function testAllowsSubAccountWithEventsPermission(): void
{
$parent = new User();
$parent->setEmail('parent2@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub2@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['events', 'scanner']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/creer', 'GET');
$request->attributes->set('_route', 'app_account_create_event');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testBlocksSubAccountWithoutTicketsPermission(): void
{
$parent = new User();
$parent->setEmail('parent3@test.fr');
$parent->setFirstName('P');
$parent->setLastName('T');
$parent->setPassword('h');
$sub = new User();
$sub->setEmail('sub3@test.fr');
$sub->setFirstName('S');
$sub->setLastName('T');
$sub->setPassword('h');
$sub->setParentOrganizer($parent);
$sub->setSubAccountPermissions(['events']);
$security = $this->createMock(Security::class);
$security->method('getUser')->willReturn($sub);
$urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$urlGenerator->method('generate')->willReturn('/mon-compte');
$subscriber = new SubAccountPermissionSubscriber($security, $urlGenerator);
$request = Request::create('/mon-compte/evenement/1/billet/ajouter', 'GET');
$request->attributes->set('_route', 'app_account_event_add_billet');
$request->setSession(new Session(new MockArraySessionStorage()));
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$subscriber->onKernelRequest($event);
self::assertNotNull($event->getResponse());
}
}