#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"

(en lecture seule, c-à-d en mode LIST et VIEW)

#206: en admin, trésoriers et admins siège peuvent "voir les comptoirs"
(en lecture seule, c-à-d en mode LIST et VIEW)
e0839f9a · Mathieu Poisbeau · 704e5af3 · e0839f9a · e0839f9a
Commit e0839f9a authored Oct 26, 2020 by Mathieu Poisbeau
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

security.yaml config/packages/security.yaml +8 -5

ComptoirAdmin.php src/Admin/ComptoirAdmin.php +3 -1

No files found.
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -96,7 +96,7 @@ security:
            switch_user:
                provider: fos_userbundle
            # access_denied_handler: App\Security\AccessDeniedHandler
-       
+
    encoders:
        # FOS\UserBundle\Model\UserInterface: bcrypt
        FOS\UserBundle\Model\UserInterface:
@@ -109,22 +109,25 @@ security:
        ROLE_API:               ROLE_USER
        ROLE_ADHERENT:          ROLE_USER
        ROLE_PRESTATAIRE:       ROLE_USER
-        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN]
+        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN, ROLE_ADMIN_COMPTOIR_READER]
        ROLE_REDACTEUR:         [ROLE_USER, ROLE_ADMIN]
-        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN]
+        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN, ROLE_ADMIN_COMPTOIR_READER]
        ROLE_CONTROLEUR:        [ROLE_USER, ROLE_ADMIN]
        ROLE_GESTION_GROUPE:    [ROLE_USER, ROLE_ADMIN]
        ROLE_COMPTOIR:          [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTACT:           [ROLE_USER, ROLE_ADMIN]
        ROLE_ADMIN:             [ROLE_USER, ROLE_SONATA_ADMIN]
+        ROLE_ADMIN_COMPTOIR_READER:
+            - ROLE_ADMIN_COMPTOIR_GERER_LIST
+            - ROLE_ADMIN_COMPTOIR_GERER_VIEW
        ROLE_SUPER_ADMIN:       [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
-        # 
+        #
        # @TODO : better access control !
-        # 
+        #
        # Admin login page needs to be accessed without credential
        # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }

--- a/src/Admin/ComptoirAdmin.php
+++ b/src/Admin/ComptoirAdmin.php
@@ -53,7 +53,9 @@ class ComptoirAdmin extends AbstractAdmin
        $query = parent::createQuery($context);
        $user = $this->security->getUser();
        if (empty($this->getRequest()->getSession()->get('_groupegere'))) {
-            if ($user->isGranted('ROLE_GESTION_GROUPE') || $user->isGranted('ROLE_CONTACT') || $user->isGranted('ROLE_TRESORIER')) {
+            // TODO: Pourquoi empêcher toutes les "requêtes comptoir" pour ces rôles ?
+            //if ($user->isGranted('ROLE_GESTION_GROUPE') || $user->isGranted('ROLE_CONTACT') || $user->isGranted('ROLE_TRESORIER')) {
+            if ($user->isGranted('ROLE_GESTION_GROUPE') || $user->isGranted('ROLE_CONTACT')) {
                $query->andWhere('false = true');
            }
        } else {