admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
466 Commits 1 Branch 0 Tags
e6b410e7158743da65a520ebfbffab2d6c6dc52f
Commit Graph

466 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Serreau Jovann
e6b410e715 Update sandbox fixtures: 3 events (past/ongoing/upcoming), 5 scan scenarios 
Events:
- #1 Brocante de Printemps (past, offline)
- #2 Convention Cosplay (ongoing, online)
- #3 Marche de Noel (upcoming, online)

6 categories, 8 billets across all events

Scan scenarios for event #2 (ongoing):
- DEMO-0001: valid, never scanned
- DEMO-0002: refused, exit_definitive (already scanned with definitive exit)
- DEMO-0003: accepted, unlimited entry/exit (already scanned once)
- DEMO-0004: accepted, invitation (never scanned)
- DEMO-0005: refused, invalid (vote type - no generated ticket)

API doc: show sandbox event IDs and scan references with colored badges

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:15:38 +01:00
Serreau Jovann
40e89afc71 Create API controllers structure with JWT auth and sandbox fixtures 
Controllers:
- ApiAuthController: POST /api/auth/login with JWT generation (HS256, 24h TTL)
  - Validates email + password against DB
  - Returns JWT token with userId, email, roles, iat, exp
  - Static verifyJwt() for use by live/sandbox controllers
  - Only ROLE_ORGANIZER can authenticate
- ApiLiveController: empty shell at /api/live (routes to implement)
- ApiSandboxController: empty shell at /api/sandbox (routes to implement)

Auth is shared: one /api/auth/login for both environments using real credentials.

Sandbox fixtures (data/sandbox/fixtures.json):
- 2 events (Brocante + Convention Cosplay)
- 4 categories across events
- 6 billets with varied types (billet, reservation_brocante)
- 6 billet details with descriptions, images, categories, events
- 4 scan results (2 accepted, 2 refused with different reasons)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:12:28 +01:00
Serreau Jovann
8ab8efbf07 Simplify API: keep only events, categories, billets and scan routes 
Remove: orders, orders/{id}, events/{id}/orders, events/{id}/stats,
events/{id}/tickets, events/{id}/scan-stats, events/{id}/billets,
export CSV routes

Keep only 7 routes:
- POST /api/auth/login (auth)
- GET /api/events (list)
- GET /api/events/{id} (detail)
- GET /api/events/{id}/categories (categories of event)
- GET /api/categories/{id}/billets (billets of category)
- GET /api/billets/{id} (billet detail with image)
- POST /api/scan (scan ticket: accepted/refused)

API is focused on: browse events → load categories → load billets → scan

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:09:00 +01:00
Serreau Jovann
9981121638 Simplify scan API: remove /verify, add accepted/refused state with reason and details 
- Remove POST /api/scan/verify (redundant with /api/scan)
- POST /api/scan now returns state: "accepted" or "refused" with reason
- Refused reasons: already_scanned, invalid, expired, exit_definitive, wrong_event
- Accepted response includes details object (for future additional data)
- Template: render extra section (refusal reasons table in red)
- Only 2 POST routes remain: /api/auth/login + /api/scan (all others are GET)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:06:13 +01:00
Serreau Jovann
8a65df5c7c Remove PATCH /api/billets/{id}/stock from API doc 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:04:12 +01:00
Serreau Jovann
17cf042379 Add GET /api/billets/{id} endpoint to API doc (billet detail with image URL) 
- Returns all billet fields: name, description, priceHT, quantity, sold, type, isGeneratedBillet, hasDefinedExit, notBuyable, position
- Includes imageUrl (absolute URL to billet picture if present, null otherwise)
- Includes nested category (id, name) and event (id, title)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:03:39 +01:00
Serreau Jovann
10d9051880 Remove inline script from API doc, add CSP policy section 
Security:
- Move env switcher logic to assets/modules/api-env-switcher.js (no inline script)
- Register in app.js via initApiEnvSwitcher()
- Compliant with CSP script-src (no unsafe-inline needed for this page)

API doc:
- Add CSP policy section showing all authorized origins per directive
- Table: script-src, connect-src, style-src, img-src, font-src, frame-src, form-action, object-src, worker-src
- Note: inline scripts not allowed, must use nonce or external file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 19:02:28 +01:00
Serreau Jovann
419c7f0a19 Add live/sandbox environment switcher on /api/doc 
- Toggle switch (Sandbox orange / Live green) in header section
- Switches update in real-time: base URL, description, all endpoint path prefixes
- Sandbox: /api/sandbox (orange), Live: /api/live (green)
- Auth endpoints (/api/auth/*) are not affected by the toggle
- No page reload needed, pure JS DOM updates

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:59:46 +01:00
Serreau Jovann
2e01f1f4c0 Add sandbox/live environments to API doc, update TASK_CHECKUP for JWT auth 
API doc:
- Add sandbox (/api/sandbox) and live (/api/live) environments with badges
- Auth (/api/auth/login) is shared between environments
- Endpoint paths show both prefixes: /api/sandbox|/api/live/...
- Auth endpoints show path without prefix

TASK_CHECKUP:
- Replace API key auth with JWT auth (ETicket-Email + ETicket-JWT headers)
- All routes use {env} prefix (sandbox/live)
- /mon-compte API tab redirects to /api/doc
- Sandbox: read-only mode (POST/PATCH/DELETE return result without DB modification)
- Mark documentation tasks as done

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:58:17 +01:00
Serreau Jovann
ece406d50e Add JSON spec button on /api/doc page 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:56:10 +01:00
Serreau Jovann
9c5c1b6da5 Add custom API documentation page at /api/doc 
- ApiDocController: serves doc page + JSON spec at /api/doc/spec.json
- Custom brutal design template matching site aesthetic
- 6 sections: Auth, Events, Orders, Scanner, Billets/Stock, Export
- Each endpoint shows: method badge (colored), path, summary, description
- Auth headers: ETicket-Email + ETicket-JWT displayed prominently
- Parameters table with type, required, default values
- Request body with JSON example and field types
- Response body with JSON example
- Status codes with colored badges (green/yellow/red)
- Rate limiting section with X-RateLimit headers
- Table of contents with anchor links
- Standard response format: {success, data, error}
- No external dependencies (no Swagger/NelmioApiDoc)
- Fully customizable via PHP spec array

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:51:46 +01:00
Serreau Jovann
4e49553c3d Remove console.error in share.js (ESLint no-console) 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:45:22 +01:00
Serreau Jovann
d4e30abffb fix error navbar 2026-03-23 18:37:24 +01:00
Serreau Jovann
f508ce2751 Fix backup script: use db-master container name and default db credentials 
- Container name: database → db-master (matches docker-compose-prod.yml)
- Variables: vault_postgres_user/db → db_user/db_name with defaults 'e-ticket'
- No vault variable required, falls back to docker-compose-prod defaults

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:34:48 +01:00
Serreau Jovann
059eceaefe Fix PHP CS Fixer style in AccountControllerTest 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:13:29 +01:00
Serreau Jovann
82c90f5b8b Fix LibreTranslate deploy: healthcheck from PHP container, ignore_errors, add QR code tests 
- Ansible: healthcheck via PHP container (curl from php, not libretranslate)
- Ansible: exit 0 if LibreTranslate not ready (don't block deploy)
- Ansible: ignore_errors on translation step (non-blocking)
- AccountControllerTest: add testEventQrCode (PNG response) and testEventQrCodeDeniedForOtherUser (403)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:12:18 +01:00
Serreau Jovann
acccd4a0c4 Fix LibreTranslate timeout: increase wait to 3min, add Ansible healthcheck wait 
- TranslateCommand: increase waitForApi retries from 30 to 90 (3 minutes total)
- Ansible deploy: add explicit healthcheck wait step (60×5s = 5min max) before translation
- First launch downloads ~2-4GB of language models, needs more time

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 18:10:54 +01:00
Serreau Jovann
da0076fa51 aa 2026-03-23 16:58:27 +01:00
Serreau Jovann
4742da8554 aa 2026-03-23 15:53:02 +01:00
Serreau Jovann
bc4601eb5c aa 2026-03-23 15:44:20 +01:00
Serreau Jovann
8a42a3dde4 aa 2026-03-23 15:35:21 +01:00
Serreau Jovann
f0002ae7cb aa 2026-03-23 15:32:43 +01:00
Serreau Jovann
6b009a4511 Add social sharing buttons and QR code for events 
Public event page:
- Share buttons: X (Twitter), Facebook, Instagram (copy link), TikTok (copy link), copy link
- Buttons use url_encode for share URLs with event title + URL
- Instagram/TikTok copy to clipboard (no direct share URL support)
- Consistent brutal design with aria-labels

Organizer dashboard:
- Share X, Facebook, copy link buttons per event in events list
- QR code download button per event
- Route /mon-compte/evenement/{id}/qrcode: generates 400px PNG QR code via Endroid
- QR code points to public event URL, downloaded as qrcode-{slug}.png

JS module:
- assets/modules/share.js: initShare() handles data-share-copy buttons
- Copies URL to clipboard, shows checkmark for 1.5s then restores icon
- 4 tests (no buttons, copy, checkmark restore, multiple buttons)

Social icons already displayed via _social_icons.html.twig component

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 15:11:53 +01:00
Serreau Jovann
1af242c307 Fix SonarQube/PHPStan issues: session type, returns count, coverage gaps 
- AuditLog: move @var before ORM attribute for PHPStan visibility
- SubAccountPermissionSubscriber: use Session instead of FlashBagAwareSessionInterface
- SuspendedUserSubscriber: same Session type fix
- OrderController::create: merge expired + invalid cart into single return (4→3 returns)
- OrderControllerTest: add testCreateOrderUnlimitedBillet (covers clampQuantity unlimited branch)
- AccountControllerTest: add BilletOrder in soldCounts test (covers foreach $rows loop)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:47:02 +01:00
Serreau Jovann
544e6632da Fix testCreateOrderEmptyCart: expect 400 after isValidCart refactor 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:34:09 +01:00
Serreau Jovann
6fa29a0f84 Fix PHP CS Fixer style in OrderController 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:30:46 +01:00
Serreau Jovann
42842effcb Add PHPDoc @param array<string, mixed> on AuditService::log() 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:28:08 +01:00
Serreau Jovann
1032bcfb86 Fix getFlashBag() type hint, reduce returns in SuspendedUserSubscriber 
- SubAccountPermissionSubscriber: cast session to FlashBagAwareSessionInterface
- SuspendedUserSubscriber: merge 3 guard clauses into one, extract ALLOWED_ROUTES constant (4→2 returns)
- SuspendedUserSubscriber: cast session to FlashBagAwareSessionInterface

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:27:35 +01:00
Serreau Jovann
e1d41e7724 Fix PHPDoc types on AuditLog, reduce returns in CsrfProtectionSubscriber 
- AuditLog: add @return/@param array<string, mixed> on getData()/setData()
- CsrfProtectionSubscriber: extract shouldVerifyCsrf() helper (5→2 returns in onKernelRequest)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:26:44 +01:00
Serreau Jovann
600e095d16 Fix SonarQube issues: reduce returns, cognitive complexity, PHPDoc types 
- TranslateCommand: replace @phpstan-ignore-line with proper comment in catch block
- OrderController::create: extract isValidCart() helper (5→3 returns)
- OrderController::guest: merge empty fields + email validation into single return (4→3 returns)
- OrderController::buildOrderItems: extract isBilletAvailable() and clampQuantity() (16→~10 complexity)
- HomeController::invitationRegister: extract handleInvitationRegistration() (already done)
- AuditLog: add @var array<string, mixed> PHPDoc on $data property

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 14:24:58 +01:00
Serreau Jovann
bfc6c03000 Fix SonarQube issues: cognitive complexity, duplicate literals, PHPDoc, regex syntax 
- AdminController: extract DQL_STATUS_PAID constant (3 occurrences)
- AdminController: remove misplaced @return PHPDoc on export(), add it on computeEventStats()
- HomeController: extract handleInvitationRegistration() to reduce complexity and returns (17→~10, 4→3 returns)
- MeilisearchConsistencyCommand: extract userToDocument() to reduce checkUserIndex complexity (18→~10)
- TranslateCommand: use \w instead of [a-zA-Z0-9_] in regex
- TranslateCommand: add comment in empty catch block

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 13:38:53 +01:00
Serreau Jovann
09a3e7867e Reduce cognitive complexity, improve test coverage, fix SonarQube issues 
Cognitive complexity refactors:
- cart.js: extract buildCart, handleCheckout, updateStockLabel, updateItemStock, startStockPolling (21→~8)
- tabs.js: use .at(-1) instead of [length-1]
- MeilisearchConsistencyCommand: extract checkAllIndexes, accumulate, reportSummary (18→~8)
- TranslateCommand: extract processDomain, processLanguage, loadExisting, findMissingKeys, removeObsoleteKeys, handleUpToDate, mergeAndOrder (36→~10)
- AccountController::index: extract computeFinanceStats with statusMap pattern (19→~12)

Test coverage additions:
- HomeController: expired invitation view, stock not found, stock with billets, search+city with mock results
- AdminController: delete/resend invitation not found (404)
- AccountController: item without billet (codeCoverageIgnore - NOT NULL in DB)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 12:57:00 +01:00
Serreau Jovann
1eba8b41ee Fix PHP CS Fixer style in AdminControllerTest 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 12:29:21 +01:00
Serreau Jovann
c2ebd291b8 Add test coverage for remaining controllers, fix label accessibility, refactor duplicated code 
New tests (47 added, 622 total):
- MonitorMessengerCommand: no failures, failures with email, null error, multiple (4)
- UnsubscribeController: unsubscribe with invitations refused + admin notified (1)
- AdminController: suspend/reactivate orga, orders page with filters, logs, invite orga submit/empty, delete/resend invitation, export CSV/PDF (13)
- AccountController: export CSV/PDF, getAllowedBilletTypes (free/basic/sur-mesure/null), billet type restriction, finance stats all statuses, soldCounts (9)
- HomeController: city filter, date filter, all filters combined, stock route (4)
- OrderController: event ended, invalid cart JSON, invalid email, stock zero (4)
- MailerService: getAdminEmail, getAdminFrom (2)
- JS: comment node, tabs missing panel/id/parent, cart stock polling edge cases (10)

Accessibility fixes:
- events.html.twig: add for/id on search, city, date labels
- admin/orders.html.twig: add for/id on search, status labels

Code quality:
- cart.js: remove dead ternaire branch (max > 10 always plural)
- tabs.js: use optional chaining for tablist?.setAttribute
- MeilisearchConsistencyCommand: extract diffAndReport() (was duplicated 3x)
- Email templates: extract _order_items_table.html.twig partial
- SonarQube: exclude src/Entity/** from CPD

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 12:11:07 +01:00
Serreau Jovann
42d06dd49f Add LibreTranslate auto-translation, improve test coverage, fix code duplication 
Translation system:
- Add LibreTranslate container (dev + prod), CPU-only, no port exposed, FR/EN/ES/DE/IT
- Create app:translate command: reads *.fr.yaml, translates incrementally, preserves placeholders
- Makefile: make trans / make trans_prod (stops container after translation)
- Ansible: start libretranslate -> translate -> stop during deploy
- Prod container restart: "no" (only runs during deploy)
- .gitignore: ignore generated *.en/es/de/it.yaml files
- 11 tests for TranslateCommand (API unreachable, empty, incremental, obsolete keys, placeholders, fallback)

Test coverage improvements:
- OrderController: event ended (400), invalid cart JSON, invalid email, stock zero (4 new tests)
- AccountController: finance stats all statuses (paid/pending/refunded/cancelled), soldCounts (2 new tests)
- JS cart: checkout without error elements, hide error on retry, stock polling edge cases (singular, no label, qty zero, unknown billet) (8 new tests)
- JS editor: comment node sanitization (1 new test)
- JS tabs: missing panel, generated id, parent null, click no-panel (5 new tests)

Code duplication fixes:
- MeilisearchConsistencyCommand: extract diffAndReport() method (was duplicated 3x)
- Email templates: extract _order_items_table.html.twig partial (shared by notification + cancelled)
- SonarQube: exclude src/Entity/** from CPD (getters/setters duplication)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 11:44:13 +01:00
Serreau Jovann
04927ec988 Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization 
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)

Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin

UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page

Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)

Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config

Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 11:14:06 +01:00
Serreau Jovann
61200adc74 Add stock management, order notifications, webhooks, expiration cron, and billet type validation 
- Decrement billet quantity after purchase in BilletOrderService::generateOrderTickets
- Block purchase when stock is exhausted (quantity <= 0) in OrderController::buildOrderItems
- Add organizer email notification on new order (order_notification_orga template)
- Add organizer email notification on cancel/refund (order_cancelled_orga template)
- Add ExpirePendingOrdersCommand (app:orders:expire-pending) cron every 5min via Ansible
  - Cancels pending orders older than 30 minutes, restores stock, invalidates tickets
  - Includes BilletBuyerRepository::findExpiredPending query method
  - 3 unit tests covering: no expired orders, stock restoration, unlimited billets
- Add payment_intent.payment_failed webhook: cancels order, logs audit, emails buyer
- Add charge.refunded webhook: sets order to refunded, invalidates tickets, notifies orga and buyer
- Validate billet type (billet/reservation_brocante/vote) against organizer offer
  - getAllowedBilletTypes: gratuit=billet only, basic/sur-mesure=all types
  - Server-side validation in hydrateBilletFromRequest, UI filtering in templates
- Update TASK_CHECKUP.md: all Billetterie & Commandes items now complete

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-23 00:12:30 +01:00
Serreau Jovann
f03b33ac5a Mark invitation Stripe block as not needed (invitations are free, no payment) 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:50:18 +01:00
Serreau Jovann
517e31f2f7 Auto-login after invitation registration, redirect to /mon-compte 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:49:41 +01:00
Serreau Jovann
ef06066794 Show clear error and redirect to login on duplicate email registration 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:34:18 +01:00
Serreau Jovann
36db3fc25d Notify admin when organizer accepts or refuses invitation 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:33:04 +01:00
Serreau Jovann
80b48b9dbf Add financial dashboard for organizer in payouts tab 
- 6 KPIs: encaissé, en attente, remboursé, com E-Ticket, com Stripe, net perçu
- Calculated from all orders linked to organizer's events
- Displayed above export buttons and payouts table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:23:59 +01:00
Serreau Jovann
141871af1f Mark payouts tab as already done in TASK_CHECKUP 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:19:22 +01:00
Serreau Jovann
608b746989 Add monthly export CSV + PDF for admin and organizers 
- ExportService: monthly stats query, CSV generation, PDF generation via dompdf
- Admin: /admin/export/{year}/{month} (CSV) + /admin/export/{year}/{month}/pdf
- Orga: /mon-compte/export/{year}/{month} (CSV) + /mon-compte/export/{year}/{month}/pdf
- Admin CSV: commande, date, événement, orga, acheteur, billets, total HT, com E-Ticket, com Stripe
- Orga CSV: + net perçu column
- PDF A4 landscape: KPIs + orders table with commissions breakdown
- Buttons in admin dashboard and orga payouts tab (current + previous month)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:16:55 +01:00
Serreau Jovann
47916f5f30 Add admin dashboard stats: CA, commissions E-Ticket/Stripe, orders, billets, orgas 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:09:16 +01:00
Serreau Jovann
94ebe09181 Enforce sub-account permissions on events and tickets routes 
- SubAccountPermissionSubscriber: checks events/tickets permissions for sub-accounts
- Blocks access with redirect + flash error if permission missing
- Hide events/subaccounts/payouts tabs for sub-accounts without permission
- 5 tests: non-sub-account, blocked events, allowed events, blocked tickets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 22:05:16 +01:00
Serreau Jovann
6db0566f69 Add admin orders page with search, status filter, KPIs 
- /admin/commandes: paginated list of all orders
- Search by order number, name, email
- Filter by status (pending, paid, cancelled, refunded)
- 4 KPIs: paid count, CA total HT, refunded count, cancelled count
- Table: order number, buyer, event, billets, total, date, status badges
- Navigation link 'Commandes' in admin header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 21:25:32 +01:00
Serreau Jovann
372bf46136 Add organizer suspension: toggle, badge, block access, audit log 
- User.isSuspended (nullable bool, null = not suspended)
- Admin: toggle suspend/reactivate button on organizers list
- SuspendedUserSubscriber: redirects suspended users to homepage with error
- Audit log: organizer_suspended / organizer_reactivated
- Badge 'Suspendu' (red) replaces offer badge when suspended

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 20:53:46 +01:00
Serreau Jovann
64d0a6fd29 Mark admin edit offer/commission as done, add sub-account permissions verification task 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 20:49:23 +01:00
Serreau Jovann
66ac2379ec Add audit trail: AuditLog entity, AuditService, admin logs page 
- AuditLog entity: action, entityType, entityId, data (JSON), performedBy, ipAddress
- AuditService: logs actions with current user and IP
- Audit on: order_created, order_paid, order_cancelled, order_refunded
- Admin /admin/logs: paginated table with action badges, details, user, IP
- Navigation link 'Logs' in admin header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-22 20:48:10 +01:00