adapt logic to new structure

2026-02-10 16:01:59 +01:00 · 2026-02-10 16:01:59 +01:00 · 709a9f44cb
parent a9493bfb0f
commit 709a9f44cb
1 changed files with 43 additions and 26 deletions
--- a/src/Service/UserService.php
+++ b/src/Service/UserService.php
@ -8,6 +8,7 @@ use App\Entity\Roles;
 use App\Entity\User;
 use App\Entity\UserOrganizatonApp;
 use App\Entity\UsersOrganizations;
+use App\Repository\RolesRepository;
 use DateTimeImmutable;
 use DateTimeZone;
 use Doctrine\ORM\EntityManagerInterface;
@ -33,7 +34,7 @@ class UserService
                                private readonly ActionService            $actionService,
                                private readonly EmailService             $emailService,
                                private readonly OrganizationsService     $organizationsService,
-                                private readonly EventDispatcherInterface $eventDispatcher
+                                private readonly EventDispatcherInterface $eventDispatcher, private readonly RolesRepository $rolesRepository
    )
    {

@ -48,6 +49,23 @@ class UserService
        return bin2hex(random_bytes(32));
    }

+    /** Check if the user is admin in any organization.
+     * Return true if the user is admin in at least one organization, false otherwise.
+     *
+     * @param User $user
+     * @return bool
+     * @throws Exception
+     */
+//    TODO: pas sur de l'utiliser, à vérifier
+    public function isAdminInAnyOrganization(User $user): bool
+    {
+        $roleAdmin = $this->rolesRepository->findOneBy(['name' => 'ADMIN']);
+        $uoAdmin = $this->entityManager->getRepository(UsersOrganizations::class)->findOneBy([
+            'users' => $user,
+            'isActive' => true,
+            'role'=> $roleAdmin]);
+        return $uoAdmin !== null;
+    }

    /**
     * Check if the user is currently connected.
@ -75,26 +93,30 @@ class UserService
    }

    /**
-     * Check if the user have the rights to access the page
-     * Self check can be skipped when checking access for the current user
+     * Determines if the currently logged-in user has permission to manage or view a target User.
+     * * Access is granted if:
+     * 1. The current user is a Super Admin.
+     * 2. The current user is the target user itself.
+     * 3. The current user is an active Admin of an organization the target user belongs to.
     *
-     * @param User $user
-     * @param bool $skipSelfCheck
-     * @return bool
-     * @throws Exception
+     * @param User $user            The target User object we are checking access against.
+     * * @return bool True if access is permitted, false otherwise.
+     * @throws Exception If database or security context issues occur.
     */
-    public function hasAccessTo(User $user, bool $skipSelfCheck = false): bool
+    public function hasAccessTo(User $user): bool
    {
-        if ($this->security->isGranted('ROLE_SUPER_ADMIN')) {
+        if ($this->security->isGranted('ROLE_ADMIN')) {
            return true;
        }
-        if (!$skipSelfCheck && $user->getUserIdentifier() === $this->security->getUser()->getUserIdentifier()) {
+//        S'il s'agit de son propre compte, on lui donne accès
+        if ($user->getUserIdentifier() === $this->security->getUser()->getUserIdentifier()) {
            return true;
        }
        $userOrganizations = $this->entityManager->getRepository(UsersOrganizations::class)->findBy(['users' => $user]);
        if ($userOrganizations) {
            foreach ($userOrganizations as $uo) {
-                if ($this->isAdminOfOrganization($uo->getOrganization()) && $uo->getStatut() === "ACCEPTED" && $uo->isActive()) {
+                //l'utilisateur doit être actif dans l'org, avoir le statut ACCEPTED (double vérif) et être admin de l'org
+                if ($uo->getStatut() === "ACCEPTED" && $uo->isActive() && $this->isAdminOfOrganization($uo->getOrganization())) {
                    return true;
                }
            }
@ -103,11 +125,11 @@ class UserService

    }

+
+
    /**
-     * Check if the user is an admin of the organization
-     * A user is considered an admin of an organization if they have the 'ROLE_ADMIN' AND have the link to the
-     * entity role 'ROLE_ADMIN' in the UsersOrganizationsApp entity
-     * (if he is admin for any application of the organization).
+     * Check if the acting user is an admin of the organization
+     * A user is considered an admin of an organization if they have an active UsersOrganizations link with the role of ADMIN for that organization.
     *
     * @param Organizations $organizations
     * @return bool
@ -116,19 +138,14 @@ class UserService
    public function isAdminOfOrganization(Organizations $organizations): bool
    {
        $actingUser = $this->getUserByIdentifier($this->security->getUser()->getUserIdentifier());
-        $uo = $this->entityManager->getRepository(UsersOrganizations::class)->findOneBy(['users' => $actingUser, 'organization' => $organizations]);
        $roleAdmin = $this->entityManager->getRepository(Roles::class)->findOneBy(['name' => 'ADMIN']);
-        if ($uo) {
-            $uoa = $this->entityManager->getRepository(UserOrganizatonApp::class)->findOneBy(['userOrganization' => $uo,
-                'role' => $roleAdmin,
-                'isActive' => true]);
-            if ($uoa && $this->security->isGranted('ROLE_ADMIN')) {
-                return true;
-            }
-        }
-        return false;
-    }
+        $uoAdmin = $this->entityManager->getRepository(UsersOrganizations::class)->findOneBy(['users' => $actingUser,
+            'organization' => $organizations,
+            'role'=> $roleAdmin,
+            'isActive' => true]);
+        return $uoAdmin !== null;

+    }

    /**
     * Get the user by their identifier.