Refactor user roles

codedmonkey · codedmonkey · commit c5f4a8983633 · 2026-01-14T15:23:04.000+01:00
Signed-off-by: Tim Goudriaan &lt;tim@codedmonkey.com&gt;
diff --git a/migrations/Version20260112221847.php b/migrations/Version20260112221847.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20260112221847 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Refactor user roles from JSON array to single role enum';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // Add new role column as nullable
+        $this->addSql('ALTER TABLE "user" ADD role VARCHAR(64) DEFAULT NULL');
+
+        // Migrate existing data: extract the highest privilege role from the roles array
+        $this->addSql(<<<'SQL'
+            UPDATE "user"
+            SET role = CASE
+                WHEN roles::text LIKE '%ROLE_SUPER_ADMIN%' THEN 'ROLE_SUPER_ADMIN'
+                WHEN roles::text LIKE '%ROLE_ADMIN%' THEN 'ROLE_ADMIN'
+                ELSE 'ROLE_USER'
+            END
+        SQL);
+
+        // Make role column NOT NULL
+        $this->addSql('ALTER TABLE "user" ALTER COLUMN role SET NOT NULL');
+
+        // Drop the old roles column
+        $this->addSql('ALTER TABLE "user" DROP roles');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // Add back the roles column
+        $this->addSql('ALTER TABLE "user" ADD roles JSON DEFAULT NULL');
+
+        // Migrate data back: convert single role to array
+        $this->addSql(<<<'SQL'
+            UPDATE "user"
+            SET roles = CASE
+                WHEN role = 'ROLE_SUPER_ADMIN' THEN '["ROLE_SUPER_ADMIN"]'::json
+                WHEN role = 'ROLE_ADMIN' THEN '["ROLE_ADMIN"]'::json
+                ELSE '[]'::json
+            END
+        SQL);
+
+        // Make roles column NOT NULL
+        $this->addSql('ALTER TABLE "user" ALTER COLUMN roles SET NOT NULL');
+
+        // Drop the new role column
+        $this->addSql('ALTER TABLE "user" DROP role');
+    }
+}
diff --git a/src/Controller/Dashboard/DashboardSecurityController.php b/src/Controller/Dashboard/DashboardSecurityController.php
@@ -4,6 +4,7 @@
 
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
+use CodedMonkey\Dirigent\Entity\UserRole;
 use CodedMonkey\Dirigent\Form\RegistrationFormType;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Bundle\SecurityBundle\Security;
@@ -56,7 +57,7 @@ public function register(Request $request, Security $security): Response
         if ($form->isSubmitted() && $form->isValid()) {
             // The first user gets owner privileges
             if ($noUsers) {
-                $user->setRoles(['ROLE_SUPER_ADMIN', 'ROLE_USER']);
+                $user->setRole(UserRole::Owner);
             }
 
             $this->userRepository->save($user, true);
diff --git a/src/Controller/Dashboard/DashboardUserController.php b/src/Controller/Dashboard/DashboardUserController.php
@@ -3,6 +3,7 @@
 namespace CodedMonkey\Dirigent\Controller\Dashboard;
 
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use CodedMonkey\Dirigent\Entity\UserRole;
 use CodedMonkey\Dirigent\Form\NewPasswordType;
 use EasyCorp\Bundle\EasyAdminBundle\Attribute\AdminRoute;
 use EasyCorp\Bundle\EasyAdminBundle\Config\Action;
@@ -55,19 +56,13 @@ public function configureFields(string $pageName): iterable
             ->setFormType(PasswordType::class)
             ->setFormTypeOption('constraints', NewPasswordType::constraints())
             ->onlyOnForms();
-        yield ChoiceField::new('roles')
-            ->setChoices([
-                'User' => 'ROLE_USER',
-                'Admin' => 'ROLE_ADMIN',
-                'Owner' => 'ROLE_SUPER_ADMIN',
-            ])
+        yield ChoiceField::new('role')
+            ->setChoices(UserRole::cases())
             ->renderAsBadges([
-                'ROLE_USER' => 'primary',
-                'ROLE_ADMIN' => 'success',
-                'ROLE_SUPER_ADMIN' => 'success',
+                UserRole::User->value => 'primary',
+                UserRole::Admin->value => 'success',
+                UserRole::Owner->value => 'success',
             ])
-            ->renderExpanded()
-            ->allowMultipleChoices()
             ->setSortable(false);
         yield BooleanField::new('totpAuthenticationEnabled', 'Multi-factor authentication')
             ->setHelp('form.user.help.totp-authentication-enabled')
diff --git a/src/Doctrine/DataFixtures/AppFixtures.php b/src/Doctrine/DataFixtures/AppFixtures.php
@@ -5,6 +5,7 @@
 use CodedMonkey\Dirigent\Doctrine\Entity\Registry;
 use CodedMonkey\Dirigent\Doctrine\Entity\RegistryPackageMirroring;
 use CodedMonkey\Dirigent\Doctrine\Entity\User;
+use CodedMonkey\Dirigent\Entity\UserRole;
 use Doctrine\Bundle\FixturesBundle\Fixture;
 use Doctrine\Persistence\ObjectManager;
 
@@ -18,7 +19,7 @@ public function load(ObjectManager $manager): void
             $user->setUsername($userData['username']);
             $user->setName($userData['name']);
             $user->setEmail($userData['email']);
-            $user->setRoles($userData['roles']);
+            $user->setRole($userData['role']);
             $user->setPlainPassword($userData['password']);
 
             $manager->persist($user);
@@ -45,23 +46,23 @@ private function getUsers(): \Generator
             'username' => 'owner',
             'name' => 'Owner',
             'email' => 'owner@example.com',
-            'roles' => ['ROLE_SUPER_ADMIN'],
+            'role' => UserRole::Owner,
             'password' => 'PlainPassword99',
         ];
 
         yield [
             'username' => 'admin',
             'name' => 'Admin User',
             'email' => 'admin@example.com',
-            'roles' => ['ROLE_ADMIN'],
+            'role' => UserRole::Admin,
             'password' => 'PlainPassword99',
         ];
 
         yield [
             'username' => 'user',
             'name' => 'Regular User',
             'email' => 'user@example.com',
-            'roles' => [],
+            'role' => UserRole::User,
             'password' => 'PlainPassword99',
         ];
     }
diff --git a/src/Doctrine/Entity/User.php b/src/Doctrine/Entity/User.php
@@ -3,6 +3,8 @@
 namespace CodedMonkey\Dirigent\Doctrine\Entity;
 
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
+use CodedMonkey\Dirigent\Entity\UserRole;
+use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\Mapping\Column;
 use Doctrine\ORM\Mapping\Entity;
 use Doctrine\ORM\Mapping\GeneratedValue;
@@ -34,8 +36,8 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFact
     #[Column(length: 180, nullable: true)]
     private ?string $email = null;
 
-    #[Column]
-    private array $roles = [];
+    #[Column(type: Types::STRING, length: 64, enumType: UserRole::class)]
+    private UserRole $role = UserRole::User;
 
     #[Column]
     private ?string $password = null;
@@ -82,15 +84,17 @@ public function setEmail(?string $email): void
 
     public function getRoles(): array
     {
-        $roles = $this->roles;
-        $roles[] = 'ROLE_USER';
+        return [$this->role->value];
+    }
 
-        return array_unique($roles);
+    public function getRole(): UserRole
+    {
+        return $this->role;
     }
 
-    public function setRoles(array $roles): void
+    public function setRole(UserRole $role): void
     {
-        $this->roles = $roles;
+        $this->role = $role;
     }
 
     public function getPassword(): ?string
@@ -143,38 +147,12 @@ public function eraseCredentials(): void
 
     public function isAdmin(): bool
     {
-        return in_array('ROLE_ADMIN', $this->roles, true) || in_array('ROLE_SUPER_ADMIN', $this->roles, true);
+        return $this->role->isAdmin();
     }
 
     public function isSuperAdmin(): bool
     {
-        return in_array('ROLE_SUPER_ADMIN', $this->roles, true);
-    }
-
-    public function setAdmin(bool $admin): void
-    {
-        if ($admin) {
-            if (!in_array('ROLE_ADMIN', $this->roles, true)) {
-                $this->roles[] = 'ROLE_ADMIN';
-            }
-        } else {
-            if (false !== $key = array_search('ROLE_ADMIN', $this->roles, true)) {
-                unset($this->roles[$key]);
-            }
-        }
-    }
-
-    public function setSuperAdmin(bool $admin): void
-    {
-        if ($admin) {
-            if (!in_array('ROLE_SUPER_ADMIN', $this->roles, true)) {
-                $this->roles[] = 'ROLE_SUPER_ADMIN';
-            }
-        } else {
-            if (false !== $key = array_search('ROLE_SUPER_ADMIN', $this->roles, true)) {
-                unset($this->roles[$key]);
-            }
-        }
+        return $this->role->isSuperAdmin();
     }
 
     public function isTotpAuthenticationEnabled(): bool
diff --git a/src/Entity/UserRole.php b/src/Entity/UserRole.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Entity;
+
+enum UserRole: string
+{
+    case Owner = 'ROLE_SUPER_ADMIN';
+    case Admin = 'ROLE_ADMIN';
+    case User = 'ROLE_USER';
+
+    public function isAdmin(): bool
+    {
+        return self::Admin === $this || $this->isSuperAdmin();
+    }
+
+    public function isSuperAdmin(): bool
+    {
+        return self::Owner === $this;
+    }
+}
diff --git a/translations/messages.en.yaml b/translations/messages.en.yaml
@@ -35,7 +35,7 @@ Package Mirroring: Package mirroring
 Password: Password
 Repeat new password: Repeat new password
 Repository url: Repository URL
-Roles: Roles
+Role: Role
 Token: Token
 Type: Type
 URL: URL
