security admin

app/config/security.yml

@@ -55,9 +55,13 @@ security:
         - { path: ^/admin/members/badges, roles: ROLE_ADMIN }
         - { path: ^/admin/members/users, roles: ROLE_ADMIN }
         - { path: ^/admin/event/speakers-management, roles: ROLE_FORUM }
+        #- { path: ^/admin/event, roles: ROLE_ADMIN }
+        #- { path: ^/admin/vote, roles: ROLE_ADMIN }
+        #- { path: ^/admin/members/general_meeting, roles: ROLE_ADMIN }
+        #- { path: ^/admin/members/general_meeting_vote, roles: ROLE_ADMIN }
+        #- { path: ^/admin/site, roles: ROLE_ADMIN }
         - { path: ^/admin/(members/reporting|association/relances|talk|slackmembers/check), roles: ROLE_ADMIN}
         - { path: ^/member, roles: [ROLE_USER, ROLE_MEMBER_EXPIRED]}
-        - { path: ^/admin/(members/reporting|association/relances|talk|slackmembers/check), roles: ROLE_NO_ACCESS}
         - { path: ^/admin/, roles: ROLE_MEMBER_EXPIRED }
         - { path: ^/blog, allow_if: "request.getClientIp() in ['217.70.189.71', '127.0.0.1', '192.168.42.1'] or request.server.get('ALLOW_BLOG_FROM_ALL') == 1 or request.headers.get('x-afup-blog-api-key') == '%blog_api_key%'" }
         - { path: ^/blog, roles: ROLE_NO_ACCESS }

tests/behat/features/Admin/AdminGithubUsers.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie GitHub Users
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux utilisateurs GitHub
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/github-user/"
+    Then the response status code should be 403
+
   Scenario Outline: Accès à la liste des utilisateurs GitHub
     Given I am logged in as admin and on the Administration
     And I follow "Github Users"

tests/behat/features/Admin/AdminSpeakers.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie Speakers
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la gestion des Speakers
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/speakers-management"
+    Then the response status code should be 403
+
   Scenario: Ajout/modification/suppression d'un speaker
     Given I am logged in as admin and on the Administration
     And I follow "Speakers"

tests/behat/features/Admin/AdminTarifications.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie Tarifications
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la tarification
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/prices"
+    Then the response status code should be 403
+
   Scenario: Ajout d'une tarification
     Given I am logged in as admin and on the Administration
     And I follow "Tarifications"

tests/behat/features/Admin/AdminVenueSpeakers.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie Venue Speakers
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux venues Speakers
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/speakers-expenses"
+    Then the response status code should be 403
+
   Scenario: Liste des speakers liés à un évènement et modification d'une information sur la page info speaker
     Given I am logged in as admin and on the Administration
     And I follow "Venue speakers"

tests/behat/features/Admin/Events/GestionEvenements.feature

@@ -4,6 +4,25 @@ Feature: Administration - Évènements - Gestions Évènements
   @clearEmails
   @clearAllMailInscriptionAttachments
   @clearAllSponsorFiles
+
+  Scenario: Un membre ne peut pas accéder à la liste des événements
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/list"
+    Then the response status code should be 403
+
+  Scenario: Supression d'un évènement vide
+    Given I am logged in as admin and on the Administration
+    And I follow "Gestion évènements"
+    Then the ".content h2" element should contain "Liste des évènements"
+    When I follow "Ajouter"
+    Then I fill in "titre" with "SUPP"
+    And I fill in "nb_places" with "3"
+    And I press "Soumettre"
+    Then I should see "Le forum a été ajouté"
+    And I should see "Liste des évènements"
+    When I follow the button of tooltip "Supprimer le forum SUPP"
+    And I should see "Événement supprimé"
+
   Scenario: On crée un nouvel évènement vide
     Given I am logged in as admin and on the Administration
     And I follow "Gestion évènements"

tests/behat/features/Admin/Events/Salles.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Évènements - Salles
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux Salles
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/room"
+    Then the response status code should be 403
+
   Scenario: On crée une nouvelle salle vide
     Given I am logged in as admin and on the Administration
     And I follow "Salles"

tests/behat/features/Admin/Events/Suivi.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Évènements - Suivi
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux stats
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/stats"
+    Then the response status code should be 403
+
   Scenario: On vérifie la page du suivi
     Given I am logged in as admin and on the Administration
     And I follow "Suivi"

tests/behat/features/Admin/Events/TokensSponsors.feature

@@ -2,6 +2,12 @@ Feature: Administration - Évènements - Tokens Sponsors
 
   @reloadDbWithTestData
   @clearEmails
+
+  Scenario: Un membre ne peut pas accéder aux tokens Sponsors
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/sponsor"
+    Then the response status code should be 403
+
   Scenario: Tickets sponsors
     Given I am logged in as admin and on the Administration
     And I follow "Tokens sponsors"

tests/behat/features/Admin/Events/TokensVIsiteurs.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Évènements - Tokens Visiteurs
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux tokens visiteurs
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/special_price"
+    Then the response status code should be 403
+
   Scenario: Création d'un token visiteurs
     Given I am logged in as admin and on the Administration
     And I follow "Tokens visiteurs"

tests/behat/features/Admin/Events/Virements.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Évènements - Virements en attente
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux virements en attente
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/event/bankwires"
+    Then the response status code should be 403
+
   Scenario: Accès à la liste des virements
     Given I am logged in as admin and on the Administration
     # Ajout d'une inscription avec virement

tests/behat/features/Admin/Events/VoteVisiteur.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Évènements - Vote Visiteur
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux votes visiteurs
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/vote/"
+    Then the response status code should be 403
+
   Scenario: Accès aux votes des visiteurs
     Given I am logged in as admin and on the Administration
     And I follow "Votes visiteurs"

tests/behat/features/Admin/Members/GeneralMeeting/GeneralMeeting.feature

@@ -1,6 +1,17 @@
 Feature: Administration - Partie Assemblée Générale
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la gestion de l'assemblée générale
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/members/general_meeting"
+    Then the response status code should be 403
+
+  Scenario: Un membre ne peut pas accéder à la préparation de l'assemblée générale
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/members/general_meeting/prepare"
+    Then the response status code should be 403
+
   Scenario: Créer une assemblée générale
     Given I am logged in as admin and on the Administration
     And I follow "Assemblée générale"

tests/behat/features/Admin/Members/GeneralMeeting/GeneralMeetingQuestions.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie Assemblée Générale Questions
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux questions de l'assemblée générale
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/members/general_meeting_vote"
+    Then the response status code should be 403
+
   Scenario: Accès à la liste des questions
     Given I am logged in as admin and on the Administration
     And I follow "Assemblée générale - votes"

tests/behat/features/Admin/Members/GeneralMeeting/GeneralMeetingReports.feature

@@ -1,6 +1,12 @@
 Feature: Administration - Partie Assemblée Générale CR
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder aux comptes rendus de l'ssemblée générale
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/members/general_meeting/reports"
+    Then the response status code should be 403
+
   Scenario: Accède à la liste des CR
     Given I am logged in as admin and on the Administration
     And I follow "Assemblée générale"

tests/behat/features/Admin/PlanetePHP/BIllets.feature

@@ -1,8 +1,16 @@
 Feature: Administration - Planète PHP - Billets
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la gestion de planète PHP
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/planete/feed-articles"
+    Then the response status code should be 403
+
   Scenario: Gestion des flux
     Given I am logged in as admin and on the Administration
     When I follow "Billets"
     Then the ".content h2" element should contain "Billets"
     And I should see "Un titre Le contenu du super article Actif"
+
+

tests/behat/features/Admin/PlanetePHP/Flux.feature

@@ -1,6 +1,18 @@
 Feature: Administration - Planète PHP - Flux
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la gestion de planète PHP
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/planete/feeds"
+    Then the response status code should be 403
+    And I am on "/admin/planete/feeds/add"
+    Then the response status code should be 403
+    And I am on "/admin/planete/feeds/edit"
+    Then the response status code should be 403
+    And I am on "/admin/planete/feeds/delete"
+    Then the response status code should be 403
+
   Scenario: Gestion des flux
     Given I am logged in as admin and on the Administration
     When I follow "Flux"

tests/behat/features/Admin/Site/AdminSiteRubriques.feature

@@ -1,6 +1,16 @@
 Feature: Administration - Partie Site
 
   @reloadDbWithTestData
+
+  Scenario: Un membre ne peut pas accéder à la gestion du site
+    Given I am logged-in with the user "paul" and the password "paul"
+    And I am on "/admin/site/rubriques"
+    Then the response status code should be 403
+    And I am on "/admin/site/rubriques/add"
+    Then the response status code should be 403
+    And I am on "/admin/site/rubriques/delete"
+    Then the response status code should be 403
+
   Scenario: Ajout/modification/suppression d'une rubrique
     Given I am logged in as admin and on the Administration
     And I follow "Rubriques"