Refactor user roles

Signed-off-by: Tim Goudriaan <tim@codedmonkey.com>

Author: codedmonkey

migrations/Version20260112221847.php

@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260112221847 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Refactor user roles from JSON array to single role enum';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // Add new role column as nullable
+        $this->addSql('ALTER TABLE "user" ADD role VARCHAR(64) DEFAULT NULL');
+
+        // Migrate existing data: extract the highest privilege role from the roles array
+        $this->addSql(<<<'SQL'
+            UPDATE "user"
+            SET role = CASE
+                WHEN roles::text LIKE '%ROLE_SUPER_ADMIN%' THEN 'ROLE_SUPER_ADMIN'
+                WHEN roles::text LIKE '%ROLE_ADMIN%' THEN 'ROLE_ADMIN'
+                ELSE 'ROLE_USER'
+            END
+        SQL);
+
+        // Make role column NOT NULL
+        $this->addSql('ALTER TABLE "user" ALTER COLUMN role SET NOT NULL');
+
+        // Drop the old roles column
+        $this->addSql('ALTER TABLE "user" DROP roles');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // Add back the roles column
+        $this->addSql('ALTER TABLE "user" ADD roles JSON DEFAULT NULL');
+
+        // Migrate data back: convert single role to array
+        $this->addSql(<<<'SQL'
+            UPDATE "user"
+            SET roles = CASE
+                WHEN role = 'ROLE_SUPER_ADMIN' THEN '["ROLE_SUPER_ADMIN"]'::json
+                WHEN role = 'ROLE_ADMIN' THEN '["ROLE_ADMIN"]'::json
+                ELSE '[]'::json
+            END
+        SQL);
+
+        // Make roles column NOT NULL
+        $this->addSql('ALTER TABLE "user" ALTER COLUMN roles SET NOT NULL');
+
+        // Drop the new role column
+        $this->addSql('ALTER TABLE "user" DROP role');
+    }
+}

src/Controller/Dashboard/DashboardSecurityController.php

@@ -3,6 +3,7 @@
 namespace CodedMonkey\Dirigent\Controller\Dashboard;
 
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use CodedMonkey\Dirigent\Doctrine\Entity\UserRole;
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
 use CodedMonkey\Dirigent\Form\RegistrationFormType;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -56,7 +57,7 @@ public function register(Request $request, Security $security): Response
         if ($form->isSubmitted() && $form->isValid()) {
             // The first user gets owner privileges
             if ($noUsers) {
-                $user->setRoles(['ROLE_SUPER_ADMIN', 'ROLE_USER']);
+                $user->setRole(UserRole::Owner);
             }
 
             $this->userRepository->save($user, true);

src/Controller/Dashboard/DashboardUserController.php

@@ -3,6 +3,7 @@
 namespace CodedMonkey\Dirigent\Controller\Dashboard;
 
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use CodedMonkey\Dirigent\Doctrine\Entity\UserRole;
 use CodedMonkey\Dirigent\Form\NewPasswordType;
 use EasyCorp\Bundle\EasyAdminBundle\Attribute\AdminRoute;
 use EasyCorp\Bundle\EasyAdminBundle\Config\Action;
@@ -55,19 +56,13 @@ public function configureFields(string $pageName): iterable
             ->setFormType(PasswordType::class)
             ->setFormTypeOption('constraints', NewPasswordType::constraints())
             ->onlyOnForms();
-        yield ChoiceField::new('roles')
-            ->setChoices([
-                'User' => 'ROLE_USER',
-                'Admin' => 'ROLE_ADMIN',
-                'Owner' => 'ROLE_SUPER_ADMIN',
-            ])
+        yield ChoiceField::new('role')
+            ->setChoices(UserRole::cases())
             ->renderAsBadges([
                 'ROLE_USER' => 'primary',
                 'ROLE_ADMIN' => 'success',
                 'ROLE_SUPER_ADMIN' => 'success',
             ])
-            ->renderExpanded()
-            ->allowMultipleChoices()
             ->setSortable(false);
         yield BooleanField::new('totpAuthenticationEnabled', 'Multi-factor authentication')
             ->setHelp('form.user.help.totp-authentication-enabled')

src/Doctrine/DataFixtures/AppFixtures.php

@@ -5,6 +5,7 @@
 use CodedMonkey\Dirigent\Doctrine\Entity\Registry;
 use CodedMonkey\Dirigent\Doctrine\Entity\RegistryPackageMirroring;
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use CodedMonkey\Dirigent\Doctrine\Entity\UserRole;
 use Doctrine\Bundle\FixturesBundle\Fixture;
 use Doctrine\Persistence\ObjectManager;
 
@@ -18,7 +19,7 @@ public function load(ObjectManager $manager): void
             $user->setUsername($userData['username']);
             $user->setName($userData['name']);
             $user->setEmail($userData['email']);
-            $user->setRoles($userData['roles']);
+            $user->setRole($userData['role']);
             $user->setPlainPassword($userData['password']);
 
             $manager->persist($user);
@@ -45,23 +46,23 @@ private function getUsers(): \Generator
             'username' => 'owner',
             'name' => 'Owner',
             'email' => 'owner@example.com',
-            'roles' => ['ROLE_SUPER_ADMIN'],
+            'role' => UserRole::Owner,
             'password' => 'PlainPassword99',
         ];
 
         yield [
             'username' => 'admin',
             'name' => 'Admin User',
             'email' => 'admin@example.com',
-            'roles' => ['ROLE_ADMIN'],
+            'role' => UserRole::Admin,
             'password' => 'PlainPassword99',
         ];
 
         yield [
             'username' => 'user',
             'name' => 'Regular User',
             'email' => 'user@example.com',
-            'roles' => [],
+            'role' => UserRole::User,
             'password' => 'PlainPassword99',
         ];
     }

src/Doctrine/Entity/User.php

@@ -3,6 +3,7 @@
 namespace CodedMonkey\Dirigent\Doctrine\Entity;
 
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
+use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping\Column;
 use Doctrine\ORM\Mapping\Entity;
 use Doctrine\ORM\Mapping\GeneratedValue;
@@ -34,8 +35,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFact
     #[Column(length: 180, nullable: true)]
     private ?string $email = null;
 
-    #[Column]
-    private array $roles = [];
+    #[Column(type: Types::STRING, length: 64, enumType: UserRole::class)]
+    private UserRole $role = UserRole::User;
 
     #[Column]
     private ?string $password = null;
@@ -82,15 +83,28 @@ public function setEmail(?string $email): void
 
     public function getRoles(): array
     {
-        $roles = $this->roles;
-        $roles[] = 'ROLE_USER';
+        $roles = [$this->role->value];
+
+        // Add role hierarchy for Symfony security
+        if ($this->role === UserRole::Owner) {
+            $roles[] = 'ROLE_ADMIN';
+            $roles[] = 'ROLE_USER';
+            $roles[] = 'ROLE_ALLOWED_TO_SWITCH';
+        } elseif ($this->role === UserRole::Admin) {
+            $roles[] = 'ROLE_USER';
+        }
 
         return array_unique($roles);
     }
 
-    public function setRoles(array $roles): void
+    public function getRole(): UserRole
+    {
+        return $this->role;
+    }
+
+    public function setRole(UserRole $role): void
     {
-        $this->roles = $roles;
+        $this->role = $role;
     }
 
     public function getPassword(): ?string
@@ -143,37 +157,39 @@ public function eraseCredentials(): void
 
     public function isAdmin(): bool
     {
-        return in_array('ROLE_ADMIN', $this->roles, true) || in_array('ROLE_SUPER_ADMIN', $this->roles, true);
+        return $this->role === UserRole::Admin || $this->role === UserRole::Owner;
     }
 
     public function isSuperAdmin(): bool
     {
-        return in_array('ROLE_SUPER_ADMIN', $this->roles, true);
+        return $this->role === UserRole::Owner;
+    }
+
+    public function isOwner(): bool
+    {
+        return $this->role === UserRole::Owner;
+    }
+
+    public function isSuspended(): bool
+    {
+        return $this->role === UserRole::Suspended;
     }
 
     public function setAdmin(bool $admin): void
     {
         if ($admin) {
-            if (!in_array('ROLE_ADMIN', $this->roles, true)) {
-                $this->roles[] = 'ROLE_ADMIN';
-            }
-        } else {
-            if (false !== $key = array_search('ROLE_ADMIN', $this->roles, true)) {
-                unset($this->roles[$key]);
-            }
+            $this->role = UserRole::Admin;
+        } elseif ($this->role === UserRole::Admin) {
+            $this->role = UserRole::User;
         }
     }
 
     public function setSuperAdmin(bool $admin): void
     {
         if ($admin) {
-            if (!in_array('ROLE_SUPER_ADMIN', $this->roles, true)) {
-                $this->roles[] = 'ROLE_SUPER_ADMIN';
-            }
-        } else {
-            if (false !== $key = array_search('ROLE_SUPER_ADMIN', $this->roles, true)) {
-                unset($this->roles[$key]);
-            }
+            $this->role = UserRole::Owner;
+        } elseif ($this->role === UserRole::Owner) {
+            $this->role = UserRole::User;
         }
     }
 

src/Doctrine/Entity/UserRole.php

@@ -0,0 +1,10 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Doctrine\Entity;
+
+enum UserRole: string
+{
+    case Owner = 'ROLE_SUPER_ADMIN';
+    case Admin = 'ROLE_ADMIN';
+    case User = 'ROLE_USER';
+}

translations/messages.en.yaml

@@ -35,7 +35,7 @@ Package Mirroring: Package mirroring
 Password: Password
 Repeat new password: Repeat new password
 Repository url: Repository URL
-Roles: Roles
+Role: Role
 Token: Token
 Type: Type
 URL: URL