AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: RBAC P2 (autorisation par permission + garde de session + /api/me) #12

Merged
Corentin merged 2 commits from feat/p2-rbac into dev 2026-06-15 20:45:20 +02:00
Conversation 0 Commits 2 Files changed 9 +552
Corentin commented 2026-06-15 20:42:24 +02:00
Owner
Copy link

RBAC P2 : couche d'autorisation et cablage de la garde de session.

  • Authorizer : verification par PERMISSION via role_permission (RG-T03), rechargee depuis la base a
    chaque appel (10.4 RG-3) ; un role desactive ne confere rien.
  • AuthenticatedController : socle des controleurs proteges (cable SessionGuard RG-6/RG-T02 + Authorizer),
    place dans App\Controllers pour ne pas inverser la dependance du Core.
  • GET /api/me : identite + permissions de la session ; 401 AUTH_REQUIRED si session absente/expiree/inactive.
    Premier consommateur reel du SessionGuard.

Qualite : 110 tests (unit + integration DB auto-skippee, dont un garde anti-regression du predicat
role.is_active contre le schema reel), PHPStan L6 vert, /api/me valide en E2E. Revue adversariale
passee (3 findings corriges, 1 refute by-design).

Base volontaire : dev.

RBAC P2 : couche d'autorisation et cablage de la garde de session. - Authorizer : verification par PERMISSION via role_permission (RG-T03), rechargee depuis la base a chaque appel (10.4 RG-3) ; un role desactive ne confere rien. - AuthenticatedController : socle des controleurs proteges (cable SessionGuard RG-6/RG-T02 + Authorizer), place dans App\Controllers pour ne pas inverser la dependance du Core. - GET /api/me : identite + permissions de la session ; 401 AUTH_REQUIRED si session absente/expiree/inactive. Premier consommateur reel du SessionGuard. Qualite : 110 tests (unit + integration DB auto-skippee, dont un garde anti-regression du predicat role.is_active contre le schema reel), PHPStan L6 vert, /api/me valide en E2E. Revue adversariale passee (3 findings corriges, 1 refute by-design). Base volontaire : dev.
Corentin added 2 commits 2026-06-15 20:42:24 +02:00 
Authorizer verifie une PERMISSION via role_permission (RG-T03), rechargee depuis la base a
chaque appel (10.4 RG-3) ; un role desactive ne confere rien. AuthenticatedController (App\Controllers)
cable SessionGuard (RG-6 + RG-T02) et Authorizer sans inverser la dependance du Core. MeController
expose GET /api/me (identite + permissions ; 401 si session absente/expiree/inactive) : premier
consommateur reel du SessionGuard. Tests unitaires + integration DB (auto-skippee sans base) couvrant
le predicat is_active et la liaison par code de permission.
docs(api): ajoute /api/me au listing des endpoints
Some checks failed
CI / auto-merge (push) Has been skipped
Details
CI / auto-merge (pull_request) Failing after 5s
Details
CI / secret-scan (push) Successful in 8s
Details
CI / php-lint (push) Successful in 17s
Details
CI / static-tests (push) Successful in 31s
Details
CI / secret-scan (pull_request) Successful in 7s
Details
CI / php-lint (pull_request) Successful in 17s
Details
CI / static-tests (pull_request) Successful in 30s
Details
5b714e9a3a 
Reflete l'endpoint GET /api/me (session-gated, RG-6/RG-T02/RG-T03) en service dans la section 5.1.
Corentin added the
auto-merge
 label 2026-06-15 20:42:25 +02:00
Corentin merged commit f979a2339e into dev 2026-06-15 20:45:20 +02:00
Corentin deleted branch feat/p2-rbac 2026-06-15 20:45:20 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
auto-merge

Fusion automatique sur CI verte

No labels
auto-merge
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AcadeNice/corentin_wakdo#12
No description provided.
Delete branch "feat/p2-rbac"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?