+
<%= osuny_label t('activerecord.attributes.user.picture') %>
<%= kamifusen_tag @user.picture, class: 'img-fluid' %>
diff --git a/app/views/extranet/account/edit.html.erb b/app/views/extranet/account/edit.html.erb
index e6e53a273f..951834d2d2 100644
--- a/app/views/extranet/account/edit.html.erb
+++ b/app/views/extranet/account/edit.html.erb
@@ -59,6 +59,7 @@
<%= submit f %>
+ <%# TODO(roles-cache): visitor? = aucun rôle effectif. Sans cache -> roles.none?. %>
<% if current_user.visitor? %>
<%# we don't want the osuny priviledged account to be able to get deleted through extranet %>
<%= t("devise.registrations.edit.cancel_my_account") %>
diff --git a/app/views/server/universities/index.html.erb b/app/views/server/universities/index.html.erb
index 4941067c55..b4c4508c8f 100644
--- a/app/views/server/universities/index.html.erb
+++ b/app/views/server/universities/index.html.erb
@@ -37,6 +37,7 @@
University.human_attribute_name('public') %>
<%= university.languages.count %> |
+ <%# TODO(roles-cache): scope d'enum sur le cache `role`. Sans cache -> jointure sur `roles`. %>
<%= link_to university.users.not_server_admin.count, "#{university.url}/admin/users", target: :_blank %> |
<% if university.contribution_amount.to_i.zero? %>
|
diff --git a/app/views/server/universities/show.html.erb b/app/views/server/universities/show.html.erb
index 6d2cee3cab..656cb499d4 100644
--- a/app/views/server/universities/show.html.erb
+++ b/app/views/server/universities/show.html.erb
@@ -21,6 +21,7 @@
| <%= t('server_admin.universities.users_count') %> |
+ <%# TODO(roles-cache): scope d'enum sur le cache `role`. Sans cache -> jointure sur `roles`. %>
<%= link_to @university.users.not_server_admin.count, "#{@university.url}/admin/users", target: :_blank %> |
diff --git a/config/locales/en.yml b/config/locales/en.yml
index c83a018797..b71eb99e24 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -225,6 +225,9 @@ en:
done: Translation done! Please proof read before you save.
running: Currently translating
unavailable_button: Automatic translation unavailable
+ users:
+ add_role: Add a role
+ roles_hint: A user can hold several roles, each optionally limited to one website or program.
users_alerts:
already_confirmed: "Your account has already been confirmed."
not_locked_html: '
%{model} was not locked.'
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index 0db900d1d9..1148fa4019 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -225,6 +225,9 @@ fr:
done: Traduction effectuée ! Merci de relire avant d'enregistrer.
running: Traduction en cours
unavailable_button: Traduction automatique indisponible
+ users:
+ add_role: Ajouter un rôle
+ roles_hint: Un utilisateur peut cumuler plusieurs rôles, chacun pouvant être limité à un site ou une formation.
users_alerts:
already_confirmed: "Votre compte est déjà confirmé."
not_locked_html: "
%{model} n'était pas verrouillé(e)."
diff --git a/db/migrate/20260623120000_create_user_roles.rb b/db/migrate/20260623120000_create_user_roles.rb
new file mode 100644
index 0000000000..415da66691
--- /dev/null
+++ b/db/migrate/20260623120000_create_user_roles.rb
@@ -0,0 +1,60 @@
+class CreateUserRoles < ActiveRecord::Migration[8.1]
+ def up
+ create_table :user_roles, id: :uuid do |t|
+ t.references :user, type: :uuid, null: false, foreign_key: true
+ t.references :university, type: :uuid, null: false, foreign_key: true
+ t.integer :role, null: false
+ t.references :scope, type: :uuid, polymorphic: true, null: true
+ t.timestamps
+ end
+ add_index :user_roles,
+ [:user_id, :role, :scope_type, :scope_id],
+ unique: true,
+ name: "index_user_roles_uniqueness"
+
+ backfill_from_existing_roles
+ end
+
+ def down
+ drop_table :user_roles
+ end
+
+ private
+
+ # Encodage de l'enum User::ROLES (cf. User::WithRoles) :
+ # contributor 4, author 5, website_manager 15 -> scopés sur des sites
+ # program_manager 12 -> scopé sur des formations
+ # teacher 10, admin 20, server_admin 30 -> globaux (sans scope)
+ # visitor 0 -> pas de ligne (aucun droit)
+ def backfill_from_existing_roles
+ # Rôles globaux : une ligne sans scope
+ execute <<~SQL
+ INSERT INTO user_roles (id, user_id, university_id, role, created_at, updated_at)
+ SELECT public.gen_random_uuid(), u.id, u.university_id, u.role, now(), now()
+ FROM users u
+ WHERE u.role IN (10, 20, 30)
+ SQL
+
+ # Rôles scopés sur des sites : une ligne par site géré
+ execute <<~SQL
+ INSERT INTO user_roles (id, user_id, university_id, role, scope_type, scope_id, created_at, updated_at)
+ SELECT public.gen_random_uuid(), u.id, u.university_id, u.role,
+ 'Communication::Website', cwu.communication_website_id, now(), now()
+ FROM users u
+ JOIN communication_websites_users cwu ON cwu.user_id = u.id
+ WHERE u.role IN (4, 5, 15)
+ SQL
+
+ # Rôle scopé sur des formations : une ligne par formation gérée
+ execute <<~SQL
+ INSERT INTO user_roles (id, user_id, university_id, role, scope_type, scope_id, created_at, updated_at)
+ SELECT public.gen_random_uuid(), u.id, u.university_id, u.role,
+ 'Education::Program', epu.education_program_id, now(), now()
+ FROM users u
+ JOIN education_programs_users epu ON epu.user_id = u.id
+ WHERE u.role = 12
+ SQL
+ # Un rôle scopé sans aucune cible n'accordait déjà aucun droit : on ne crée
+ # pas de ligne pour ces utilisateurs (ils deviennent de fait visiteurs).
+ end
+end
diff --git a/db/schema.rb b/db/schema.rb
index f001e380f4..90f68726c9 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[8.1].define(version: 2026_06_18_144210) do
+ActiveRecord::Schema[8.1].define(version: 2026_06_23_120000) do
# These are extensions that must be enabled in order to support this database
enable_extension "pg_catalog.plpgsql"
enable_extension "pg_stat_statements"
@@ -2519,6 +2519,20 @@
t.index ["user_id"], name: "index_user_favorites_on_user_id"
end
+ create_table "user_roles", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+ t.datetime "created_at", null: false
+ t.integer "role", null: false
+ t.uuid "scope_id"
+ t.string "scope_type"
+ t.uuid "university_id", null: false
+ t.datetime "updated_at", null: false
+ t.uuid "user_id", null: false
+ t.index ["scope_type", "scope_id"], name: "index_user_roles_on_scope"
+ t.index ["university_id"], name: "index_user_roles_on_university_id"
+ t.index ["user_id", "role", "scope_type", "scope_id"], name: "index_user_roles_uniqueness", unique: true
+ t.index ["user_id"], name: "index_user_roles_on_user_id"
+ end
+
create_table "users", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
t.integer "brevo_contact_id"
t.datetime "confirmation_sent_at", precision: nil
@@ -2902,6 +2916,8 @@
add_foreign_key "university_role_localizations", "university_roles", column: "about_id"
add_foreign_key "university_roles", "universities"
add_foreign_key "user_favorites", "users"
+ add_foreign_key "user_roles", "universities"
+ add_foreign_key "user_roles", "users"
add_foreign_key "users", "languages"
add_foreign_key "users", "universities"
end
diff --git a/test/controllers/admin/users_controller_test.rb b/test/controllers/admin/users_controller_test.rb
new file mode 100644
index 0000000000..33cc17cf72
--- /dev/null
+++ b/test/controllers/admin/users_controller_test.rb
@@ -0,0 +1,71 @@
+require "test_helper"
+
+# rails test test/controllers/admin/users_controller_test.rb
+class Admin::UsersControllerTest < ActionDispatch::IntegrationTest
+ setup do
+ sign_in_with_2fa(admin)
+ end
+
+ test "edit affiche le formulaire multi-rôles" do
+ get edit_admin_user_path(alumnus, lang: french)
+
+ assert_response :success
+ assert_includes response.body, 'id="user_roles"'
+ assert_includes response.body, "Ajouter un rôle"
+ end
+
+ test "edit présélectionne les rôles existants et leur cible, sans visitor" do
+ target = User.find(alumnus.id)
+ target.grant_role!(:website_manager, scope: website_with_github)
+
+ get edit_admin_user_path(target, lang: french)
+ assert_response :success
+
+ role_select = response.body[/
]*data-user-role-role[^>]*>.*?<\/select>/m]
+ assert_match(/value="website_manager"[^>]*selected="selected"|selected="selected"[^>]*value="website_manager"/, role_select)
+ # Le rôle visitor (sans droit) n'est jamais proposé.
+ assert_not_includes role_select, 'value="visitor"'
+
+ # La cible est transmise par son seul uuid, présélectionnée.
+ scope_select = response.body[/]*data-user-role-scope[^>]*>.*?<\/select>/m]
+ assert_match(/value="#{website_with_github.id}"[^>]*selected="selected"|selected="selected"[^>]*value="#{website_with_github.id}"/, scope_select)
+
+ # .nested-fields ne doit pas porter d-flex, sinon cocoon ne peut pas la
+ # masquer (display:none écrasé par flex !important) — pas de feedback visuel.
+ nested_fields_class = response.body[/class="(nested-fields[^"]*)"/, 1]
+ assert_not_includes nested_fields_class, "d-flex"
+ end
+
+ test "attribue des rôles scopés via les attributs imbriqués" do
+ patch admin_user_path(alumnus, lang: french), params: {
+ user: {
+ roles_attributes: {
+ "0" => { role: "website_manager", scope_choice: website_with_github.id }
+ }
+ }
+ }
+
+ target = User.find(alumnus.id)
+ assert_equal ["website_manager"], target.roles.pluck(:role)
+ assert_equal website_with_github, target.roles.first.scope
+ assert_equal "website_manager", target.role
+ end
+
+ test "supprime un rôle via _destroy (lien de suppression cocoon)" do
+ target = User.find(alumnus.id)
+ role = target.grant_role!(:website_manager, scope: website_with_github)
+
+ # La ligne masquée par cocoon resoumet rôle + cible en plus de _destroy.
+ patch admin_user_path(target, lang: french), params: {
+ user: {
+ roles_attributes: {
+ "0" => { id: role.id, role: "website_manager", scope_choice: website_with_github.id, _destroy: "1" }
+ }
+ }
+ }
+
+ target.reload
+ assert_empty target.roles
+ assert_equal "visitor", target.role # le cache retombe sur visitor
+ end
+end
diff --git a/test/fixtures/user/roles.yml b/test/fixtures/user/roles.yml
new file mode 100644
index 0000000000..5b50722eeb
--- /dev/null
+++ b/test/fixtures/user/roles.yml
@@ -0,0 +1,9 @@
+admin:
+ user: admin
+ university: default_university
+ role: admin
+
+server_admin:
+ user: server_admin
+ university: default_university
+ role: server_admin
diff --git a/test/models/ability_test.rb b/test/models/ability_test.rb
new file mode 100644
index 0000000000..e9eebf9130
--- /dev/null
+++ b/test/models/ability_test.rb
@@ -0,0 +1,68 @@
+require "test_helper"
+
+# rails test test/models/ability_test.rb
+class AbilityTest < ActiveSupport::TestCase
+ def program
+ @program ||= education_programs(:default_program)
+ end
+
+ # Construit en mémoire (sans persister) les rôles d'un utilisateur, pour
+ # tester Ability sans effet de bord (pas de callbacks, pas d'API externe).
+ def user_with(fixture, *roles)
+ user = User.find(users(fixture).id)
+ user.roles.load_target # charge les éventuels rôles fixtures
+ roles.each do |attrs|
+ user.roles.build(university: default_university, **attrs)
+ end
+ user
+ end
+
+ def event_on(website)
+ Communication::Website::Agenda::Event.new(
+ university_id: default_university.id,
+ communication_website_id: website.id
+ )
+ end
+
+ test "un seul rôle : admin gère son université mais ne détruit pas de site" do
+ ability = Ability.for(admin)
+ assert ability.can?(:manage, University::Organization.new(university_id: default_university.id))
+ assert_not ability.can?(:destroy, Communication::Website.new(university_id: default_university.id))
+ end
+
+ test "visitor (aucun rôle) : aucun droit" do
+ ability = Ability.for(alumnus)
+ assert_not ability.can?(:manage, Communication::Website.new(university_id: default_university.id))
+ end
+
+ test "un author n'a de droits que sur SES sites" do
+ user = user_with(:alumnus, { role: :author, scope: website_with_github })
+ ability = Ability.for(user)
+ assert ability.can?(:create, event_on(website_with_github))
+ assert_not ability.can?(:create, event_on(website_with_gitlab))
+ end
+
+ test "les rôles sont additifs : chacun apporte ses droits" do
+ author_only = Ability.for(user_with(:alumnus, { role: :author, scope: website_with_github }))
+ author_and_pm = Ability.for(user_with(:alumnus,
+ { role: :author, scope: website_with_github },
+ { role: :program_manager, scope: program }))
+ category = Education::Program::Category.new(university_id: default_university.id)
+
+ assert_not author_only.can?(:manage, category)
+ assert author_and_pm.can?(:manage, category)
+ end
+
+ test "les rôles fusionnent du moins au plus privilégié" do
+ user = user_with(:server_admin, { role: :website_manager, scope: website_with_github })
+ assert_equal ["website_manager", "server_admin"], user.ability_roles
+ end
+
+ test "le rôle le plus puissant l'emporte sur un cannot plus restrictif" do
+ # server_admin (can :manage, :all) + website_manager (cannot :destroy site) :
+ # l'ordre de fusion doit préserver le droit de destruction du server_admin.
+ user = user_with(:server_admin, { role: :website_manager, scope: website_with_github })
+ website = Communication::Website.new(university_id: default_university.id)
+ assert Ability.for(user).can?(:destroy, website)
+ end
+end
diff --git a/test/models/user/role_test.rb b/test/models/user/role_test.rb
new file mode 100644
index 0000000000..d5ac41270b
--- /dev/null
+++ b/test/models/user/role_test.rb
@@ -0,0 +1,77 @@
+require "test_helper"
+
+# rails test test/models/user/role_test.rb
+class User::RoleTest < ActiveSupport::TestCase
+ def site_a
+ @site_a ||= website_with_github
+ end
+
+ def program
+ @program ||= education_programs(:default_program)
+ end
+
+ # alumnus est un visitor sans rôle au départ.
+ def user
+ @user ||= User.find(alumnus.id)
+ end
+
+ test "les attributs imbriqués créent des rôles scopés et rafraîchissent le cache" do
+ user.modified_by = admin
+ user.update!(roles_attributes: [
+ { role: "website_manager", scope_choice: site_a.id },
+ { role: "admin" }
+ ])
+ user.reload
+
+ assert_equal %w[admin website_manager], user.roles.pluck(:role).sort
+ website_manager_role = user.roles.find_by(role: "website_manager")
+ assert_equal site_a, website_manager_role.scope
+ assert_equal user.university, website_manager_role.university
+ # cache = rôle le plus élevé détenu
+ assert_equal "admin", user.role
+ end
+
+ test "ne transmet que l'uuid ; le type de cible est déduit du rôle" do
+ role = user.roles.build(role: "program_manager")
+ role.scope_choice = program.id
+ role.valid? # déclenche la déduction du type depuis le rôle
+ assert_equal "Education::Program", role.scope_type
+ assert_equal program, role.scope
+ assert_equal program.id, role.scope_choice
+ end
+
+ test "refuse un rôle au-dessus de ce que le modificateur gère" do
+ user.modified_by = admin # un admin ne gère pas server_admin
+ user.roles_attributes = [{ role: "server_admin" }]
+
+ assert_not user.save
+ assert user.errors[:base].present?
+ end
+
+ test "efface la cible d'un rôle global" do
+ role = user.roles.build(role: "admin", scope: site_a)
+ assert role.valid?
+ assert_nil role.scope
+ end
+
+ test "exige une cible pour un rôle scopé" do
+ role = user.roles.build(role: "website_manager")
+ assert_not role.valid?
+ end
+
+ test "force le type de cible selon le rôle (pas de mauvais type possible)" do
+ role = user.roles.build(role: "website_manager", scope_id: program.id)
+ role.valid?
+ assert_equal "Communication::Website", role.scope_type
+ end
+
+ test "grant_role! est idempotent et maintient le cache" do
+ user.grant_role!(:website_manager, scope: site_a)
+ user.grant_role!(:website_manager, scope: site_a) # idempotent
+ user.reload
+
+ assert_equal 1, user.roles.where(role: "website_manager").count
+ assert user.has_role?("website_manager")
+ assert_equal "website_manager", user.role
+ end
+end