From ffd792a25fdc2309ff1452c1381672eb7b60ac1f Mon Sep 17 00:00:00 2001 From: Albin Date: Sun, 25 Feb 2024 14:59:36 +0100 Subject: [PATCH] fix permissions --- Makefile | 4 +-- app/config/security.yml | 1 + .../Security/LegacyAuthenticator.php | 2 +- .../features/Admin/AccessCheckMembers.feature | 30 +++++++++++++++++++ 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 tests/behat/features/Admin/AccessCheckMembers.feature diff --git a/Makefile b/Makefile index be243703e..d788eb711 100644 --- a/Makefile +++ b/Makefile @@ -48,7 +48,7 @@ watch: app/config/parameters.yml: cp app/config/parameters.yml.dist-docker app/config/parameters.yml -init: +init: htdocs/uploads make config make init-db @@ -66,7 +66,7 @@ test: ./bin/php-cs-fixer fix --dry-run -vv -test-functional: data config htdocs/uploads +test-functional: data config CURRENT_UID=$(CURRENT_UID) $(DOCKER_COMPOSE_BIN) stop dbtest apachephptest planetetest mailcatcher CURRENT_UID=$(CURRENT_UID) $(DOCKER_COMPOSE_BIN) up -d dbtest apachephptest planetetest mailcatcher CURRENT_UID=$(CURRENT_UID) $(DOCKER_COMPOSE_BIN) run --no-deps --rm cliphp ./bin/behat diff --git a/app/config/security.yml b/app/config/security.yml index 097c4ce65..e23520a2b 100644 --- a/app/config/security.yml +++ b/app/config/security.yml @@ -53,6 +53,7 @@ security: - { path: ^/admin/techletter, roles: ROLE_VEILLE } - { path: ^/admin/company, roles: ROLE_COMPANY_MANAGER } - { path: ^/admin/members/badges, roles: ROLE_ADMIN } + - { path: ^/admin/members/users, roles: ROLE_ADMIN } - { path: ^/admin/event/speakers-management, roles: ROLE_FORUM } - { path: ^/admin/(members/reporting|association/relances|talk|slackmembers/check), roles: ROLE_ADMIN} - { path: ^/member, roles: [ROLE_USER, ROLE_MEMBER_EXPIRED]} diff --git a/sources/AppBundle/Security/LegacyAuthenticator.php b/sources/AppBundle/Security/LegacyAuthenticator.php index 32c273266..6120301aa 100644 --- a/sources/AppBundle/Security/LegacyAuthenticator.php +++ b/sources/AppBundle/Security/LegacyAuthenticator.php @@ -94,7 +94,7 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token, return new RedirectResponse($target_path); } - return new RedirectResponse('/member'); + return new RedirectResponse('/member/'); } /** diff --git a/tests/behat/features/Admin/AccessCheckMembers.feature b/tests/behat/features/Admin/AccessCheckMembers.feature new file mode 100644 index 000000000..120b844ef --- /dev/null +++ b/tests/behat/features/Admin/AccessCheckMembers.feature @@ -0,0 +1,30 @@ +Feature: Valider les accès depuis un compte membre + + # @reloadDbWithTestData + Scenario: L'accès à une personne physique + Given I am logged-in with the user "paul" and the password "paul" + # Modification + When I go to "/admin/members/users/edit?id=5" + Then the response status code should be 403 + # Suppression + When I go to "/admin/members/users/delete?id=5" + Then the response status code should be 403 + # Cotisation + When I go to "/pages/administration/index.php?page=cotisations&type_personne=0&id_personne=5" + Then I should see "Vous n'avez pas le droit d'accéder à cette page" + + @reloadDbWithTestData + Scenario: L'accès à une personne morale + Given I am logged-in with the user "paul" and the password "paul" + # Modification + When I go to "/pages/administration/index.php?page=personnes_morales&action=modifier&id=2" + Then I should see "Vous n'avez pas le droit d'accéder à cette page" + # Cotisation + When I go to "/pages/administration/index.php?page=cotisations&type_personne=1&id_personne=2" + Then I should see "Vous n'avez pas le droit d'accéder à cette page" + # Suppression + When I go to "/pages/administration/index.php?page=cotisations&action=supprimer&type_personne=1&id_personne=2&id=7" + Then I should see "Vous n'avez pas le droit d'accéder à cette page" + # Facture + When I go to "/pages/administration/index.php?page=cotisations&action=telecharger_facture&type_personne=1&id_personne=2&id=7" + Then I should see "Vous n'avez pas le droit d'accéder à cette page"