feat/security-admin-access: restrict user management to administrators #11#41
Merged
Conversation
- Restrict all user management paths (^/users) in app/config/security.yml access_control.
- Add denyAccessUnlessGranted('ROLE_ADMIN') checks in all UserController actions for defense in depth.
- Ensure only users holding administrative privileges can access user list, creation, and edition.
…plate
- Wrap the Gestion des utilisateurs button with a Twig is_granted('ROLE_ADMIN') is same as(true) condition.
- Prevent non-admin users from seeing or clicking the administration entry point.
…dacy fixes - Create UserControllerTest to validate 403 Forbidden for ROLE_USER and 200 OK for ROLE_ADMIN. - Refactor UserTest with setup() method and add PHPUnit Mock/Stub examples. - Fix implicit true comparison in UserType's CallbackTransformer using . - Replace negative operator with explicit comparison for default ROLE_USER injection in User entity. - Document classes and methods with standard English PHPDoc comments.
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This Pull Request restricts access to all user management features (viewing the list, creating, and editing users) exclusively to administrators (
ROLE_ADMIN), resolving security issue #11.It implements a "defense-in-depth" security strategy by securing both the global routing configuration, the controller endpoints, and the user interface, while ensuring full code-quality compliance with Codacy.
Changes Made
Security & Backend
^/users) directly insideapp/config/security.ymlunderaccess_control.denyAccessUnlessGranted('ROLE_ADMIN')checks at the beginning of all actions inUserController.is_granted('ROLE_ADMIN') is same as(true)) to hide it from standard users.Code Quality & Codacy Fixes
in_array('ROLE_USER', $roles) === false) to ensure every user has at leastROLE_USER.count($rolesAsArray) > 0).Testing & Refactoring
403 Forbiddenon user routes, while administrators successfully get a200 OK.setUp()) method and introduced standard PHPUnit test doubles (mocks/stubs) documentation.How to Test
ROLE_USER).http://localhost/users(or/users/create) and verify that you receive an access denied (403) error page.ROLE_ADMIN).http://localhost/usersand check that the user list loads correctly (200 OK).