Permissions on users logic #39

tonongregory · 2025-01-27T15:59:29Z

Description

Add permission to view & execute process.

Requirements

Documentation updates
- Reference
- Changelog
Unit tests

Breaking changes

tonongregory · 2025-01-27T16:02:24Z

src/DependencyInjection/CompilerPass/SecurityRolesCompilerPass.php

Ici on change la config https://symfony.com/doc/current/security.html#hierarchical-roles
On ajoute au role ROLE_SUPER_ADMIN pour chaque process un role ROLE_PROCESS_VIEW#{process.code} && ROLE_PROCESS_EXECUTE#{process.code}

tonongregory · 2025-01-27T16:03:53Z

src/Controller/Admin/LogRecordCrudController.php


        return $filters->add(
            LogProcessFilter::new('process', $processList, $id)
        )->add(
            ChoiceFilter::new('level')->setChoices(array_combine(Level::NAMES, Level::VALUES))
        )->add('message')->add('context')->add('createdAt');
    }
+


Modification du query builder de la page de listing des logs pour ne pas afficher les rôles sur lesquels l'user connecté n'a pas le role ROLE_PROCESS_VIEW#{process.code}

tonongregory · 2025-01-27T16:04:48Z

src/Controller/Admin/ProcessExecutionCrudController.php

@@ -153,4 +160,22 @@ private function getLogFilePath(ProcessExecution $processExecution): string
            \DIRECTORY_SEPARATOR.$processExecution->logFilename
        ;
    }
+


Modification du query builder de la page de listing de l'execution des process pour ne pas afficher les rôles sur lesquels l'user connecté n'a pas le role ROLE_PROCESS_VIEW#{process.code}

njoubert-cleverage · 2025-02-21T16:22:52Z

src/DependencyInjection/CompilerPass/SecurityRolesCompilerPass.php

+            $processRoles = array_merge(...array_map(fn ($code) => ['ROLE_PROCESS_VIEW#'.$code, 'ROLE_PROCESS_EXECUTE#'.$code], $processCodes));
+            $roleHierarchy = $container->getParameter('security.role_hierarchy.roles');
+            if (\is_array($roleHierarchy)) {
+                $roleHierarchy['ROLE_SUPER_ADMIN'] = array_merge($roleHierarchy['ROLE_SUPER_ADMIN'] ?? [], $processRoles);


Rajouter 2 niveaux ROLE_PROCESS_VIEW et ROLE_PROCESS_EXECUTE qui contiennent leurs enfants respectifs. Du coup ROLE_SUPER_ADMIN, contient [ROLE_PROCESS_VIEW, ROLE_PROCESS_EXECUTE].

Ajouter un bout de doc expliquant qu'il suffit de mettre un role_hierarchy: ROLE_ADMIN: [ROLE_PROCESS_VIEW, ROLE_PROCESS_EXECUTE] si on a pas besoin de cette protection.

njoubert-cleverage · 2025-02-21T16:27:46Z

templates/admin/process/list.html.twig

-                                        code: {
-                                            comparison: '=',
-                                            value: process.code,
+                {% if is_granted("ROLE_PROCESS_VIEW##{process.code}", process) %}


ajouter ROLE_PROCESS_VIEW

njoubert-cleverage · 2025-02-21T16:28:27Z

templates/admin/process/list.html.twig

+                        <td>{% if process.options.ui.source is defined %}{{ process.options.ui.source }}{% endif %}</td>
+                        <td>{% if process.options.ui.target is defined %}{{ process.options.ui.target }}{% endif %}</td>
+                        <td class="text-right">
+                            {% if is_granted("ROLE_PROCESS_EXECUTE##{process.code}", process) %}


Ajouter ROLE_PROCESS_EXECUTE

njoubert-cleverage · 2025-02-21T16:33:42Z

src/Controller/Admin/ProcessExecutionCrudController.php

+        $roles = $this->roleHierarchy->getReachableRoleNames($this->getUser()?->getRoles() ?? []);
+        $qb = parent::createIndexQueryBuilder($searchDto, $entityDto, $fields, $filters);
+        $qb->andWhere(
+            $qb->expr()->in(


Si l'user a accès a ROLE_PROCESS_VIEW alors ne pas faire le filtrage.

njoubert-cleverage · 2025-02-21T16:38:23Z

src/Controller/Admin/UserCrudController.php


-#[IsGranted('ROLE_USER')]
+#[IsGranted('ROLE_SUPER_ADMIN')]
 class UserCrudController extends AbstractCrudController


A voir si on fait une gestion des groupes via une admin ou juste via le security.yaml role_hierarchy.

Permissions on users logic

5a1a504

tonongregory commented Jan 27, 2025

View reviewed changes

clever-age-gtonon added 2 commits January 28, 2025 10:27

Add impersonate action

77d847a

Add impersonate action quality fix

3128041

njoubert-cleverage assigned tonongregory Feb 10, 2025

njoubert-cleverage added enhancement New feature or request and removed enhancement New feature or request labels Feb 10, 2025

njoubert-cleverage added this to the v3.0 milestone Feb 21, 2025

njoubert-cleverage reviewed Feb 21, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permissions on users logic #39

Permissions on users logic #39

tonongregory commented Jan 27, 2025

tonongregory Jan 27, 2025

tonongregory Jan 27, 2025

tonongregory Jan 27, 2025

njoubert-cleverage Feb 21, 2025

njoubert-cleverage Feb 21, 2025

njoubert-cleverage Feb 21, 2025

njoubert-cleverage Feb 21, 2025

njoubert-cleverage Feb 21, 2025

Permissions on users logic #39

Are you sure you want to change the base?

Permissions on users logic #39

Conversation

tonongregory commented Jan 27, 2025

Description

Requirements

Breaking changes

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment