From d434fecaa531862f2d55f9e3f4b6d892e32f8fff Mon Sep 17 00:00:00 2001
From: Charles <ce.marguerite@sudalys.fr>
Date: Wed, 11 Feb 2026 10:32:38 +0100
Subject: [PATCH] Update access logic on activate/-/deactive user

---
 src/Controller/UserController.php | 19 +++++--------------
 src/Service/UserService.php       | 26 +++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php
index b360a41..5466b30 100644
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@@ -282,29 +282,20 @@ class UserController extends AbstractController
      * Endpoint to activate/deactivate a user (soft delete)
      * If deactivating, also deactivate all org links and revoke tokens
      */
-    #[Route('/activeStatus/{id}', name: 'active_status', methods: ['GET', 'POST'])]
+    #[Route('/activeStatus/{id}', name: 'active_status', methods: ['POST'])]
     public function activeStatus(int $id, Request $request): JsonResponse
     {
         $this->denyAccessUnlessGranted('ROLE_ADMIN');
 
         $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
-        $status = $request->get('status');
+        $status = $request->request->get('status');
         try {
-            // Access control
-            if (!$this->userService->hasAccessTo($actingUser, true)) {
-                $this->loggerService->logAccessDenied($actingUser->getId());
-                throw $this->createAccessDeniedException(self::ACCESS_DENIED);
-            }
-
-            // Load target user
             $user = $this->userRepository->find($id);
             if (!$user) {
                 $this->loggerService->logEntityNotFound('User', ['id' => $id], $actingUser->getId());
-
                 throw $this->createNotFoundException(self::NOT_FOUND);
             }
 
-            // Deactivate
             if ($status === 'deactivate') {
                 $user->setIsActive(false);
 
@@ -647,7 +638,7 @@ class UserController extends AbstractController
     public function dataNew(Request $request): JsonResponse
     {
         $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
-        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) {
+        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
             $orgId = $request->query->get('orgId');
             $uos = $this->uoRepository->findBy(['organization' => $orgId, 'statut' => ["ACCEPTED", "INVITED"]],
                 orderBy: ['createdAt' => 'DESC'], limit: 5);
@@ -683,7 +674,7 @@ class UserController extends AbstractController
     public function dataAdmin(Request $request): JsonResponse
     {
         $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
-        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) {
+        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
             $orgId = $request->query->get('orgId');
             $uos = $this->uoRepository->findBy(['organization' => $orgId]);
             $roleAdmin = $this->entityManager->getRepository(Roles::class)->findOneBy(['name' => 'ADMIN']);
@@ -725,7 +716,7 @@ class UserController extends AbstractController
     {
         $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
 
-        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) {
+        if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
             $orgId = $request->query->get('orgId');
             $page = max(1, (int)$request->query->get('page', 1));
             $size = max(1, (int)$request->query->get('size', 10));
diff --git a/src/Service/UserService.php b/src/Service/UserService.php
index f367e03..241fc3c 100644
--- a/src/Service/UserService.php
+++ b/src/Service/UserService.php
@@ -125,7 +125,31 @@ class UserService
 
     }
 
-
+    /* Return if the current user is an admin of the target user.
+    * This is true if the current user is an admin of at least one organization that the target user belongs to.
+    *
+    * @param User $user
+    * @return bool
+    * @throws Exception
+    */
+    public function isAdminOfUser(User $user): bool
+    {
+        $actingUser = $this->getUserByIdentifier($this->security->getUser()->getUserIdentifier());
+        $roleAdmin = $this->rolesRepository->findOneBy(['name' => 'ADMIN']);
+        $adminUOs = $this->entityManager->getRepository(UsersOrganizations::class)->findBy([
+            'users' => $actingUser,
+            'isActive' => true,
+            'role'=> $roleAdmin]);
+        $userOrganizations = $this->entityManager->getRepository(UsersOrganizations::class)->findBy(['users' => $user, 'statut' => 'ACCEPTED', 'isActive' => true]);
+        if ($userOrganizations) {
+            foreach ($userOrganizations as $uo) {
+                if (in_array($uo, $adminUOs, true)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 
     /**
      * Check if the acting user is an admin of the organization