Charles-Edouard
/
Easy_solution
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update access logic on activate/-/deactive user

This commit is contained in:
Charles 2026-02-11 10:32:38 +01:00
parent 62107aabd2
commit d434fecaa5
2 changed files with 30 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/Controller/UserController.php
View File

@ -282,29 +282,20 @@ class UserController extends AbstractController
* Endpoint to activate/deactivate a user (soft delete) * Endpoint to activate/deactivate a user (soft delete)
* If deactivating, also deactivate all org links and revoke tokens * If deactivating, also deactivate all org links and revoke tokens
*/ */
#[Route('/activeStatus/{id}', name: 'active_status', methods: ['GET', 'POST'])] #[Route('/activeStatus/{id}', name: 'active_status', methods: ['POST'])]
public function activeStatus(int $id, Request $request): JsonResponse public function activeStatus(int $id, Request $request): JsonResponse
{ {
$this->denyAccessUnlessGranted('ROLE_ADMIN'); $this->denyAccessUnlessGranted('ROLE_ADMIN');
$actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier()); $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
$status = $request->get('status'); $status = $request->request->get('status');
try { try {
// Access control
if (!$this->userService->hasAccessTo($actingUser, true)) {
$this->loggerService->logAccessDenied($actingUser->getId());
throw $this->createAccessDeniedException(self::ACCESS_DENIED);
}
// Load target user
$user = $this->userRepository->find($id); $user = $this->userRepository->find($id);
if (!$user) { if (!$user) {
$this->loggerService->logEntityNotFound('User', ['id' => $id], $actingUser->getId()); $this->loggerService->logEntityNotFound('User', ['id' => $id], $actingUser->getId());
throw $this->createNotFoundException(self::NOT_FOUND); throw $this->createNotFoundException(self::NOT_FOUND);
} }
// Deactivate
if ($status === 'deactivate') { if ($status === 'deactivate') {
$user->setIsActive(false); $user->setIsActive(false);
@ -647,7 +638,7 @@ class UserController extends AbstractController
public function dataNew(Request $request): JsonResponse public function dataNew(Request $request): JsonResponse
{ {
$actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier()); $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) { if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
$orgId = $request->query->get('orgId'); $orgId = $request->query->get('orgId');
$uos = $this->uoRepository->findBy(['organization' => $orgId, 'statut' => ["ACCEPTED", "INVITED"]], $uos = $this->uoRepository->findBy(['organization' => $orgId, 'statut' => ["ACCEPTED", "INVITED"]],
orderBy: ['createdAt' => 'DESC'], limit: 5); orderBy: ['createdAt' => 'DESC'], limit: 5);
@ -683,7 +674,7 @@ class UserController extends AbstractController
public function dataAdmin(Request $request): JsonResponse public function dataAdmin(Request $request): JsonResponse
{ {
$actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier()); $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) { if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
$orgId = $request->query->get('orgId'); $orgId = $request->query->get('orgId');
$uos = $this->uoRepository->findBy(['organization' => $orgId]); $uos = $this->uoRepository->findBy(['organization' => $orgId]);
$roleAdmin = $this->entityManager->getRepository(Roles::class)->findOneBy(['name' => 'ADMIN']); $roleAdmin = $this->entityManager->getRepository(Roles::class)->findOneBy(['name' => 'ADMIN']);
@ -725,7 +716,7 @@ class UserController extends AbstractController
{ {
$actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier()); $actingUser = $this->userService->getUserByIdentifier($this->getUser()->getUserIdentifier());
if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_ADMIN")) { if ($this->userService->hasAccessTo($actingUser, true) && $this->isGranted("ROLE_USER")) {
$orgId = $request->query->get('orgId'); $orgId = $request->query->get('orgId');
$page = max(1, (int)$request->query->get('page', 1)); $page = max(1, (int)$request->query->get('page', 1));
$size = max(1, (int)$request->query->get('size', 10)); $size = max(1, (int)$request->query->get('size', 10));

26
src/Service/UserService.php
View File

@ -125,7 +125,31 @@ class UserService
} }
/* Return if the current user is an admin of the target user.
* This is true if the current user is an admin of at least one organization that the target user belongs to.
*
* @param User $user
* @return bool
* @throws Exception
*/
public function isAdminOfUser(User $user): bool
{
$actingUser = $this->getUserByIdentifier($this->security->getUser()->getUserIdentifier());
$roleAdmin = $this->rolesRepository->findOneBy(['name' => 'ADMIN']);
$adminUOs = $this->entityManager->getRepository(UsersOrganizations::class)->findBy([
'users' => $actingUser,
'isActive' => true,
'role'=> $roleAdmin]);
$userOrganizations = $this->entityManager->getRepository(UsersOrganizations::class)->findBy(['users' => $user, 'statut' => 'ACCEPTED', 'isActive' => true]);
if ($userOrganizations) {
foreach ($userOrganizations as $uo) {
if (in_array($uo, $adminUOs, true)) {
return true;
}
}
}
return false;
}
/** /**
* Check if the acting user is an admin of the organization * Check if the acting user is an admin of the organization