Skip to content

feat/security-admin-access: restrict user management to administrators #11#41

Merged
Mike031289 merged 3 commits into
developfrom
feat/security-admin-access
Jul 16, 2026
Merged

feat/security-admin-access: restrict user management to administrators #11#41
Mike031289 merged 3 commits into
developfrom
feat/security-admin-access

Conversation

@Mike031289

Copy link
Copy Markdown
Owner

Overview

This Pull Request restricts access to all user management features (viewing the list, creating, and editing users) exclusively to administrators (ROLE_ADMIN), resolving security issue #11.

It implements a "defense-in-depth" security strategy by securing both the global routing configuration, the controller endpoints, and the user interface, while ensuring full code-quality compliance with Codacy.


Changes Made

Security & Backend

  • Global Access Control: Secured all user paths (^/users) directly inside app/config/security.yml under access_control.
  • Controller-Level Security: Added denyAccessUnlessGranted('ROLE_ADMIN') checks at the beginning of all actions in UserController.
  • UI Protection (Twig): Wrapped the "Gestion des utilisateurs" navigation button with a strict Twig condition (is_granted('ROLE_ADMIN') is same as(true)) to hide it from standard users.

Code Quality & Codacy Fixes

  • User Entity: Replaced implicit check with a strict comparison (in_array('ROLE_USER', $roles) === false) to ensure every user has at least ROLE_USER.
  • UserType Transformer: Refactored the array-to-string transformation inside the callback transformer using an explicit count check (count($rolesAsArray) > 0).

Testing & Refactoring

  • UserControllerTest: Created a new functional test suite validating that standard users receive a 403 Forbidden on user routes, while administrators successfully get a 200 OK.
  • UserTest: Refactored the unit test suite to isolate user instantiation in a setup (setUp()) method and introduced standard PHPUnit test doubles (mocks/stubs) documentation.
  • Documentation: Fully documented all new/refactored methods with standard English PHPDoc blocks.

How to Test

  1. Log in with a standard account (ROLE_USER).
  2. Try to manually access http://localhost/users (or /users/create) and verify that you receive an access denied (403) error page.
  3. Check the navigation bar; the "Gestion des utilisateurs" link should be hidden.
  4. Log in with an admin account (ROLE_ADMIN).
  5. Access http://localhost/users and check that the user list loads correctly (200 OK).
  6. Run the test suite to ensure everything is green:
    vendor/bin/phpunit

- Restrict all user management paths (^/users) in app/config/security.yml access_control.
- Add denyAccessUnlessGranted('ROLE_ADMIN') checks in all UserController actions for defense in depth.
- Ensure only users holding administrative privileges can access user list, creation, and edition.
…plate

- Wrap the Gestion des utilisateurs  button with a Twig is_granted('ROLE_ADMIN') is same as(true) condition.
- Prevent non-admin users from seeing or clicking the administration entry point.
…dacy fixes

- Create UserControllerTest to validate 403 Forbidden for ROLE_USER and 200 OK for ROLE_ADMIN.
- Refactor UserTest with setup() method and add PHPUnit Mock/Stub examples.
- Fix implicit true comparison in UserType's CallbackTransformer using .
- Replace negative operator with explicit  comparison for default ROLE_USER injection in User entity.
- Document classes and methods with standard English PHPDoc comments.
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Mike031289
Mike031289 merged commit dbe1944 into develop Jul 16, 2026
2 checks passed
@github-project-automation github-project-automation Bot moved this from Backlog to Done in @Mike031289's ToDo-Co Jul 16, 2026
@Mike031289
Mike031289 deleted the feat/security-admin-access branch July 16, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature Extra attention is needed security

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant