From 41c6e82a1318892de390ad59ce53a80781221815 Mon Sep 17 00:00:00 2001
From: Charles <ce.marguerite@sudalys.fr>
Date: Mon, 8 Sep 2025 08:57:50 +0200
Subject: [PATCH] roles logic updated

---
 src/Service/UserOrganizationAppService.php | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/Service/UserOrganizationAppService.php b/src/Service/UserOrganizationAppService.php
index 858f99a..175272d 100644
--- a/src/Service/UserOrganizationAppService.php
+++ b/src/Service/UserOrganizationAppService.php
@@ -8,11 +8,13 @@ use App\Entity\User;
 use App\Entity\UserOrganizatonApp;
 use App\Entity\UsersOrganizations;
 use App\Service\ActionService;
+use App\Service\UserService;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
 
 class UserOrganizationAppService
 {
-    public function __construct(private readonly EntityManagerInterface $entityManager, private readonly ActionService $actionService)
+    public function __construct(private readonly EntityManagerInterface $entityManager, private readonly ActionService $actionService, private readonly Security $security, private readonly UserService $userService)
     {
     }
 
@@ -35,9 +37,9 @@ class UserOrganizationAppService
             if (!isset($grouped[$appId])) {
                 $grouped[$appId] = [
                     'uoId' => $uoa->getUserOrganization()->getId(),
-                    'application'      => $app,  // you can still pass entity here
-                    'roles'            => [],    // selected roles for display
-                    'rolesArray'       => [],    // all possible roles
+                    'application'      => $app,
+                    'roles'            => [],
+                    'rolesArray'       => [],
                     'selectedRoleIds'  => [],
                 ];
             }
@@ -49,11 +51,17 @@ class UserOrganizationAppService
             $grouped[$appId]['selectedRoleIds'][] = $roleEntity->getId();
         }
 
-        // roles are the same for all apps → load once, inject into each appGroup
+        // Load all possible roles once
         $allRoles = $this->entityManager->getRepository(Roles::class)->findAll();
 
         foreach ($grouped as &$appGroup) {
             foreach ($allRoles as $role) {
+                // exclude SUPER ADMIN from assignable roles if current user is just ADMIN
+                if ($this->security->isGranted('ROLE_ADMIN') && !$this->security->isGranted('ROLE_SUPER_ADMIN')
+                    && $role->getName() === 'SUPER ADMIN') {
+                    continue;
+                }
+
                 $appGroup['rolesArray'][] = [
                     'id'   => $role->getId(),
                     'name' => $role->getName(),