Add user company/role management commands

Author: Vitexus

CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.5.6] - 2026-06-06
+
+### Added
+- `user-company:assign --company_id <id> (--user_id <id> | --login <login> | --email <email>) [--role <role>]` - assign a user to a company with an optional company-scoped role
+- `user-company:unassign --company_id <id> (--user_id <id> | --login <login> | --email <email>)` - remove a user-company assignment
+- `user-role:set (--user_id <id> | --login <login> | --email <email>) --roles <role1,role2,...> [--replace] [--assigned_by <id>]` - assign RBAC roles by role name
+
+### Changed
+- Updated command documentation in `README.md`, `doc/multiflexi-cli.rst`, and `debian/multiflexi-cli.1`
+- Added command metadata tests in `tests/src/Command/UserAccessCommandsTest.php`
+
 ## [2.5.5] - 2026-05-28
 
 ### Fixed

README.md

@@ -47,6 +47,9 @@ multiflexi-cli <command> [options]
 | `job:status --id <id>` | Get job status |
 | `company:list` | List companies |
 | `company-app:list` | List company–application assignments |
+| `user-company:assign --company_id <id> --user_id <id>` | Assign user to company |
+| `user-company:unassign --company_id <id> --user_id <id>` | Unassign user from company |
+| `user-role:set --user_id <id> --roles <r1,r2>` | Set RBAC roles for user |
 | `credential-type:list` | List credential types |
 | `credential-type:import-json --file <file>` | Import credential type from JSON |
 | `user:list` | List users |
@@ -94,6 +97,14 @@ multiflexi-cli job:status --id 123
 multiflexi-cli user:create --login "jsmith" --email "john@example.com"
 multiflexi-cli user:list --format json
 
+# User-company assignments
+multiflexi-cli user-company:assign --company_id 2 --login "jsmith" --role viewer
+multiflexi-cli user-company:unassign --company_id 2 --login "jsmith"
+
+# User RBAC roles
+multiflexi-cli user-role:set --login "jsmith" --roles admin,viewer --replace=true
+multiflexi-cli user-role:set --login "jsmith" --roles editor --replace=false
+
 # Credential types
 multiflexi-cli credential-type:list
 multiflexi-cli credential-type:get --uuid "d3d3ae58-d64a-4ab4-afb5-ba439ffc8587"

debian/changelog

@@ -1,3 +1,13 @@
+multiflexi-cli (2.5.6) UNRELEASED; urgency=medium
+
+  * Add user-company:assign command
+  * Add user-company:unassign command
+  * Add user-role:set command for RBAC role assignment
+  * Update docs: README, doc/multiflexi-cli.rst, debian/multiflexi-cli.1
+  * Add tests: UserAccessCommandsTest
+
+ -- Vítězslav Dvořák <info@vitexsoftware.cz>  Sat, 06 Jun 2026 12:00:00 +0200
+
 multiflexi-cli (2.5.5) UNRELEASED; urgency=medium
 
   * Fix: rename --runtemplate_id to --id on run-template:assign-credential,

debian/multiflexi-cli.1

@@ -80,6 +80,18 @@ Manage users.
 Options: --id, --login, --email, --firstname, --lastname, --password, --plaintext, --enabled, --format
 .RE
 .TP
+.B user-company:assign / user-company:unassign
+Assign and unassign users to/from companies.
+.RS
+Options: --company_id, --user_id, --login, --email, --role (assign only), --format
+.RE
+.TP
+.B user-role:set
+Set RBAC roles for a user.
+.RS
+Options: --user_id, --login, --email, --roles, --replace, --assigned_by, --format
+.RE
+.TP
 .B user-erasure:list / user-erasure:create / user-erasure:approve / user-erasure:reject / user-erasure:process / user-erasure:audit / user-erasure:cleanup
 Manage GDPR user data erasure requests (Article 17 Right to Erasure).
 .RS
@@ -268,6 +280,15 @@ Generate a new token for user ID 2:
 Assign application to company:
 .B multiflexi-cli company-app:assign --company_id=1 --app_id=5
 .TP
+Assign user to company:
+.B multiflexi-cli user-company:assign --company_id=2 --login=jsmith --role=viewer
+.TP
+Unassign user from company:
+.B multiflexi-cli user-company:unassign --company_id=2 --login=jsmith
+.TP
+Set RBAC roles for user:
+.B multiflexi-cli user-role:set --login=jsmith --roles=admin,viewer --replace=true
+.TP
 Import credential type from JSON:
 .B multiflexi-cli credential-type:import-json --file=credtype.json
 .TP

doc/multiflexi-cli.rst

@@ -50,6 +50,8 @@ The MultiFlexi CLI provides the following main commands:
 - **application:\***     - Manage applications (list, get, create, update, delete, import/export/remove JSON, show config)
 - **company:\***         - Manage companies and their settings
 - **company-app:\***     - Manage company-application relations (list, assign, unassign)
+- **user-company:\***    - Assign/unassign users to companies
+- **user-role:\***       - Set RBAC roles for users
 - **job:\***             - Manage job execution and monitoring
 - **run-template:\***    - Manage run templates, scheduling, and credential assignment
 - **user:\***            - User account management
@@ -144,6 +146,48 @@ Examples:
     multiflexi-cli company-app:assign --company_id=1 --app_uuid=uuid-123 --format=json
     multiflexi-cli company-app:unassign --company_id=1 --app_id=2
 
+user-company
+------------
+
+Manage user-company assignments (assign, unassign).
+
+Options:
+  --company_id   Company ID (required)
+  --user_id      User ID (required unless --login/--email is used)
+  --login        User login (alternative to --user_id)
+  --email        User email (alternative to --user_id)
+  --role         Assignment role for ``company_user.role`` (assign only, default: ``viewer``)
+  -f, --format   Output format: text or json (default: text)
+
+Examples:
+
+.. code-block:: bash
+
+    multiflexi-cli user-company:assign --company_id=2 --user_id=10 --role=viewer
+    multiflexi-cli user-company:assign --company_id=2 --login=jsmith --role=editor
+    multiflexi-cli user-company:unassign --company_id=2 --email=john@example.com
+
+user-role
+---------
+
+Set RBAC roles for users.
+
+Options:
+  --user_id      User ID (required unless --login/--email is used)
+  --login        User login (alternative to --user_id)
+  --email        User email (alternative to --user_id)
+  --roles        Comma-separated role names (e.g. ``admin,viewer``)
+  --replace      Replace existing assignments (true/false, default: true)
+  --assigned_by  Optional user ID to store as assigner
+  -f, --format   Output format: text or json (default: text)
+
+Examples:
+
+.. code-block:: bash
+
+    multiflexi-cli user-role:set --user_id=10 --roles=admin,viewer --replace=true
+    multiflexi-cli user-role:set --login=jsmith --roles=editor --replace=false --assigned_by=1
+
 credential-type
 ---------------
 

src/Command/UserCompany/AssignCommand.php

@@ -0,0 +1,147 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MultiFlexi\Cli\Command\UserCompany;
+
+use MultiFlexi\Cli\Command\MultiFlexiCommand;
+use MultiFlexi\Company;
+use MultiFlexi\User;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class AssignCommand extends MultiFlexiCommand
+{
+    protected static $defaultName = 'user-company:assign';
+
+    protected function configure(): void
+    {
+        $this
+            ->setName('user-company:assign')
+            ->setDescription('Assign a user to a company')
+            ->addOption('format', 'f', InputOption::VALUE_OPTIONAL, 'Output format: text or json', 'text')
+            ->addOption('company_id', null, InputOption::VALUE_REQUIRED, 'Company ID')
+            ->addOption('user_id', null, InputOption::VALUE_REQUIRED, 'User ID')
+            ->addOption('login', null, InputOption::VALUE_REQUIRED, 'User login (alternative to --user_id)')
+            ->addOption('email', null, InputOption::VALUE_REQUIRED, 'User email (alternative to --user_id)')
+            ->addOption('role', null, InputOption::VALUE_OPTIONAL, 'Assignment role in company_user table', 'viewer');
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $format = strtolower((string) $input->getOption('format'));
+        $companyId = (int) $input->getOption('company_id');
+        $role = (string) $input->getOption('role');
+
+        if ($companyId <= 0) {
+            $msg = 'Missing or invalid --company_id';
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        $company = new Company($companyId);
+
+        if (empty($company->getData())) {
+            $msg = "Company #{$companyId} not found";
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        $userId = $this->resolveUserId($input);
+
+        if ($userId <= 0) {
+            $msg = 'Provide --user_id or --login or --email';
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        $user = new User($userId);
+
+        if (empty($user->getData())) {
+            $msg = "User #{$userId} not found";
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        $pdo = $this->connectPdo();
+
+        if (!$this->tableExists($pdo, 'company_user')) {
+            $msg = 'Table company_user does not exist. Run database migrations first.';
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        $sql = 'INSERT INTO company_user (company_id, user_id, role) VALUES (?, ?, ?) '
+            .'ON DUPLICATE KEY UPDATE role = VALUES(role)';
+        $ok = $pdo->prepare($sql)->execute([$companyId, $userId, $role]);
+
+        if (!$ok) {
+            $msg = 'Failed to assign user to company';
+            $format === 'json' ? $this->jsonError($output, $msg) : $output->writeln("<error>{$msg}</error>");
+
+            return self::FAILURE;
+        }
+
+        if ($format === 'json') {
+            $this->jsonSuccess($output, 'User assigned to company', [
+                'company_id' => $companyId,
+                'user_id' => $userId,
+                'role' => $role,
+            ]);
+        } else {
+            $output->writeln("User #{$userId} assigned to company #{$companyId} with role '{$role}'");
+        }
+
+        return self::SUCCESS;
+    }
+
+    private function resolveUserId(InputInterface $input): int
+    {
+        $userId = (int) $input->getOption('user_id');
+
+        if ($userId > 0) {
+            return $userId;
+        }
+
+        $login = trim((string) $input->getOption('login'));
+        $email = trim((string) $input->getOption('email'));
+
+        if ($login !== '') {
+            $found = (new User())->listingQuery()->where(['login' => $login])->fetch();
+
+            return $found ? (int) $found['id'] : 0;
+        }
+
+        if ($email !== '') {
+            $found = (new User())->listingQuery()->where(['email' => $email])->fetch();
+
+            return $found ? (int) $found['id'] : 0;
+        }
+
+        return 0;
+    }
+
+    private function connectPdo(): \PDO
+    {
+        return new \PDO(
+            \Ease\Shared::cfg('DB_CONNECTION').':host='.\Ease\Shared::cfg('DB_HOST').';port='.(string) \Ease\Shared::cfg('DB_PORT', 3306).';dbname='.\Ease\Shared::cfg('DB_DATABASE').';charset=utf8mb4',
+            \Ease\Shared::cfg('DB_USERNAME'),
+            \Ease\Shared::cfg('DB_PASSWORD'),
+            [\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION],
+        );
+    }
+
+    private function tableExists(\PDO $pdo, string $table): bool
+    {
+        $stmt = $pdo->prepare('SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = ? AND table_name = ?');
+        $stmt->execute([\Ease\Shared::cfg('DB_DATABASE'), $table]);
+
+        return (int) $stmt->fetchColumn() > 0;
+    }
+}