SocialGouv · pYassine · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025
diff --git a/packages/backend/src/modules/structures/controllers/structure-doc.controller.ts b/packages/backend/src/modules/structures/controllers/structure-doc.controller.ts
@@ -81,6 +81,7 @@ export class StructureDocController {
 
   @ApiOperation({ summary: "Upload de documents personnalisables" })
   @Post("")
+  @AllowUserStructureRoles("responsable", "admin")
   @UseInterceptors(
     FileInterceptor("file", {
       limits: FILES_SIZE_LIMIT,
@@ -193,6 +194,7 @@ export class StructureDocController {
   }
 
   @Delete(":uuid")
+  @AllowUserStructureRoles("responsable", "admin")
   public async deleteDocument(
     @Param("uuid", new ParseUUIDPipe()) uuid: string,
     @CurrentUser() user: UserStructureAuthenticated,

diff --git a/packages/backend/src/usagers/controllers/usagers-decision.controller.ts b/packages/backend/src/usagers/controllers/usagers-decision.controller.ts
@@ -2,6 +2,7 @@ import {
   Body,
   Controller,
   Delete,
+  ForbiddenException,
   Get,
   HttpStatus,
   Param,
@@ -34,11 +35,10 @@ import {
   UsagerDecision,
   UsagerNote,
   Usager,
-  UsagerDecisionStatut,
-  UserStructureRole,
 } from "@domifa/common";
 import { format } from "date-fns";
 import { getLastInteractionOut } from "../../modules/interactions/services";
+import { canAddDecision } from "../guards";
 
 @Controller("usagers-decision")
 @ApiTags("usagers-decision")
@@ -61,18 +61,11 @@ export class UsagersDecisionController {
     // eslint-disable-next-line @typescript-eslint/no-unused-vars
     @Param("usagerRef", new ParseIntPipe()) _usagerRef: number
   ): Promise<Usager> {
-    const decisionsToCheck: UsagerDecisionStatut[] = [
-      "ATTENTE_DECISION",
-      "INSTRUCTION",
-    ];
-    const rightsToCheck: UserStructureRole[] = ["responsable", "admin"];
-    if (
-      !decisionsToCheck.includes(decision.statut) &&
-      !rightsToCheck.includes(user.role)
-    ) {
-      throw new Error("CANNOT_SET_DECISION");
+    if (!canAddDecision(user.role, decision.statut)) {
+      throw new ForbiddenException(
+        "Permissions insuffisantes pour cette action"
+      );
     }
-
     decision.userName = `${user.prenom} ${user.nom}`;
     decision.userId = user.id;
 

diff --git a/packages/backend/src/usagers/decorators/index.ts b/packages/backend/src/usagers/decorators/index.ts
@@ -0,0 +1,2 @@
+// @index('./*decorator.ts', f => `export * from '${f.path}'`)
+export * from "./validate-search-field.decorator";
diff --git a/.../utils/validate-search-field.decorator.ts → ...rators/validate-search-field.decorator.ts b/.../utils/validate-search-field.decorator.ts → ...rators/validate-search-field.decorator.ts
@@ -3,7 +3,7 @@ import {
   registerDecorator,
   ValidationArguments,
 } from "class-validator";
-import { validateSearchField } from "./validate-search-field";
+import { validateSearchField } from "../utils/validate-search-field";
 
 export function ValidateSearchField(validationOptions?: ValidationOptions) {
   return function (object: object, propertyName: string) {

diff --git a/packages/backend/src/usagers/guards/can-add-decision.spec.ts b/packages/backend/src/usagers/guards/can-add-decision.spec.ts
@@ -0,0 +1,75 @@
+import { UserStructureRole, UsagerDecisionStatut } from "@domifa/common";
+import { canAddDecision } from "./can-add-decision";
+
+interface TestCase {
+  role: UserStructureRole;
+  decisionStatut: UsagerDecisionStatut;
+  expectedAccess: boolean;
+}
+
+describe("canAddDecision", () => {
+  const testCases: TestCase[] = [
+    { role: "facteur", decisionStatut: "INSTRUCTION", expectedAccess: false },
+    {
+      role: "facteur",
+      decisionStatut: "ATTENTE_DECISION",
+      expectedAccess: false,
+    },
+    { role: "facteur", decisionStatut: "RADIE", expectedAccess: false },
+    { role: "facteur", decisionStatut: "VALIDE", expectedAccess: false },
+    { role: "facteur", decisionStatut: "REFUS", expectedAccess: false },
+
+    { role: "agent", decisionStatut: "INSTRUCTION", expectedAccess: false },
+    {
+      role: "agent",
+      decisionStatut: "ATTENTE_DECISION",
+      expectedAccess: false,
+    },
+    { role: "agent", decisionStatut: "RADIE", expectedAccess: false },
+    { role: "agent", decisionStatut: "VALIDE", expectedAccess: false },
+    { role: "agent", decisionStatut: "REFUS", expectedAccess: false },
+
+    { role: "simple", decisionStatut: "INSTRUCTION", expectedAccess: true },
+    {
+      role: "simple",
+      decisionStatut: "ATTENTE_DECISION",
+      expectedAccess: true,
+    },
+    { role: "simple", decisionStatut: "RADIE", expectedAccess: true },
+    { role: "simple", decisionStatut: "VALIDE", expectedAccess: false },
+    { role: "simple", decisionStatut: "REFUS", expectedAccess: false },
+
+    {
+      role: "responsable",
+      decisionStatut: "INSTRUCTION",
+      expectedAccess: true,
+    },
+    {
+      role: "responsable",
+      decisionStatut: "ATTENTE_DECISION",
+      expectedAccess: true,
+    },
+    { role: "responsable", decisionStatut: "RADIE", expectedAccess: true },
+    { role: "responsable", decisionStatut: "VALIDE", expectedAccess: true },
+    { role: "responsable", decisionStatut: "REFUS", expectedAccess: true },
+
+    { role: "admin", decisionStatut: "INSTRUCTION", expectedAccess: true },
+    { role: "admin", decisionStatut: "ATTENTE_DECISION", expectedAccess: true },
+    { role: "admin", decisionStatut: "RADIE", expectedAccess: true },
+    { role: "admin", decisionStatut: "VALIDE", expectedAccess: true },
+    { role: "admin", decisionStatut: "REFUS", expectedAccess: true },
+  ];
+
+  test.each(testCases)(
+    'Rôle "$role" avec statut "$decisionStatut" doit retourner $expectedAccess',
+    ({ role, decisionStatut, expectedAccess }) => {
+      expect(canAddDecision(role, decisionStatut)).toBe(expectedAccess);
+    }
+  );
+
+  it("retourne false pour un statut inexistant", () => {
+    expect(
+      canAddDecision("admin", "STATUT_INEXISTANT" as UsagerDecisionStatut)
+    ).toBe(false);
+  });
+});
diff --git a/packages/backend/src/usagers/guards/can-add-decision.ts b/packages/backend/src/usagers/guards/can-add-decision.ts
@@ -0,0 +1,22 @@
+import { UserStructureRole, UsagerDecisionStatut } from "@domifa/common";
+
+export const canAddDecision = (
+  userRole: UserStructureRole,
+  decisionStatus: UsagerDecisionStatut
+): boolean => {
+  const instructRoles: UserStructureRole[] = ["simple", "responsable", "admin"];
+  const validateOrRefuseRoles: UserStructureRole[] = ["responsable", "admin"];
+
+  const canInstruct = instructRoles.includes(userRole);
+  const canValidateOrRefuse = validateOrRefuseRoles.includes(userRole);
+
+  const permissions: { [key in UsagerDecisionStatut]: boolean } = {
+    INSTRUCTION: canInstruct,
+    ATTENTE_DECISION: canInstruct,
+    RADIE: canInstruct,
+    VALIDE: canValidateOrRefuse,
+    REFUS: canValidateOrRefuse,
+  };
+
+  return permissions[decisionStatus] || false;
+};
diff --git a/packages/backend/src/usagers/guards/index.ts b/packages/backend/src/usagers/guards/index.ts
@@ -0,0 +1,2 @@
+// @index('./*guard.ts', f => `export * from '${f.path}'`)
+export * from "./can-add-decision";
diff --git a/packages/backend/src/usagers/utils/index.ts b/packages/backend/src/usagers/utils/index.ts
@@ -2,6 +2,5 @@
 export * from "./cerfa";
 export * from "./custom-docs";
 export * from "./dataCleanerForStats.service";
-export * from "./validate-search-field.decorator";
 export * from "./validate-search-field";
 export * from "./xlsx-structure-usagers-renderer";
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// @index('./decorator.ts', f => `export from '${f.path}'`)
		export * from "./validate-search-field.decorator";
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// @index('./guard.ts', f => `export from '${f.path}'`)
		export * from "./can-add-decision";