Fixed issues raised by code review

tuj · tuj · commit 8b0e4f857c38 · 2026-06-11T16:15:00.000+02:00
diff --git a/README.md b/README.md
@@ -126,9 +126,11 @@ itk_dev_entity:
     enabled: true
 ```
 
-When enabled, the `BlameableListener` (Doctrine `onFlush`) sets `createdBy` on insert and `modifiedBy` on every flush
-from `Symfony\Bundle\SecurityBundle\Security`. Bundle code types these as `?UserInterface`; the concrete class is
-resolved at runtime via Doctrine `resolve_target_entities`, configured by `itk_dev_entity.user_class`.
+When enabled, the `BlameableListener` (Doctrine `onFlush`) reads the current user from
+`Symfony\Bundle\SecurityBundle\Security` and sets `createdBy` + `modifiedBy` on insert, and `modifiedBy` on every
+update. Flushes that happen outside an authenticated request (workers, console commands) leave the existing blame
+fields untouched. Bundle code types these as `?UserInterface`; the concrete class is resolved at runtime via Doctrine
+`resolve_target_entities`, configured by `itk_dev_entity.user_class`.
 
 ### Opt-in: archivable
 
diff --git a/docker-compose.postgres.yml b/docker-compose.postgres.yml
@@ -9,11 +9,11 @@ services:
     image: postgres:16
     ports: !reset []
     environment: !override
-      POSTGRES_DB: app_bundle_test
-      POSTGRES_USER: app
-      POSTGRES_PASSWORD: "!ChangeMe!"
+      POSTGRES_DB: db
+      POSTGRES_USER: db
+      POSTGRES_PASSWORD: db
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U app -d app_bundle_test"]
+      test: ["CMD-SHELL", "pg_isready -U db -d db"]
       start_period: 10s
       interval: 10s
       timeout: 5s
@@ -29,7 +29,7 @@ services:
       args:
         PHP_FPM_IMAGE: ${PHP_FPM_IMAGE:-itkdev/php8.4-fpm:latest}
     environment:
-      - DATABASE_URL=postgresql://app:!ChangeMe!@database:5432/app_bundle_test?serverVersion=16&charset=utf8
+      - DATABASE_URL=postgresql://db:db@database:5432/db?serverVersion=16&charset=utf8
 
 volumes:
   postgres-data:
diff --git a/src/DependencyInjection/ITKDevEntityExtension.php b/src/DependencyInjection/ITKDevEntityExtension.php
@@ -14,6 +14,7 @@
 use ITKDev\EntityBundle\Doctrine\Listener\SoftDeleteListener;
 use ITKDev\EntityBundle\Doctrine\Listener\TimestampableListener;
 use ITKDev\EntityBundle\Privacy\Attribute\Anonymize;
+use ITKDev\EntityBundle\Privacy\Strategy;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\Config\FileLocator;
 use Symfony\Component\Config\Resource\DirectoryResource;
@@ -180,6 +181,10 @@ private function mergeAnonymizationRules(array $discovered, array $configRules):
                 if (!\is_string($property) || !\is_array($spec) || !isset($spec['strategy']) || !\is_string($spec['strategy'])) {
                     throw new InvalidConfigurationException(sprintf('itk_dev_entity.anonymization.rules[%s][%s] must be { strategy: ..., replacement?: ... }', $class, (string) $property));
                 }
+                if (null === Strategy::tryFrom($spec['strategy'])) {
+                    $valid = implode(', ', array_map(static fn (Strategy $s): string => $s->value, Strategy::cases()));
+                    throw new InvalidConfigurationException(sprintf('itk_dev_entity.anonymization.rules[%s][%s].strategy must be one of: %s. Got "%s".', $class, $property, $valid, $spec['strategy']));
+                }
                 $replacement = $spec['replacement'] ?? null;
                 if (null !== $replacement && !\is_string($replacement)) {
                     throw new InvalidConfigurationException(sprintf('itk_dev_entity.anonymization.rules[%s][%s].replacement must be a string or null.', $class, $property));
diff --git a/src/Doctrine/Filter/ArchivableFilter.php b/src/Doctrine/Filter/ArchivableFilter.php
@@ -16,7 +16,7 @@ public function addFilterConstraint(ClassMetadata $targetEntity, string $targetT
             return '';
         }
 
-        $column = $targetEntity->getColumnName('archivedAt');
+        $column = $this->getConnection()->quoteIdentifier($targetEntity->getColumnName('archivedAt'));
 
         return sprintf('%s.%s IS NULL', $targetTableAlias, $column);
     }
diff --git a/src/Doctrine/Filter/SoftDeleteFilter.php b/src/Doctrine/Filter/SoftDeleteFilter.php
@@ -16,7 +16,7 @@ public function addFilterConstraint(ClassMetadata $targetEntity, string $targetT
             return '';
         }
 
-        $column = $targetEntity->getColumnName('deletedAt');
+        $column = $this->getConnection()->quoteIdentifier($targetEntity->getColumnName('deletedAt'));
 
         return sprintf('%s.%s IS NULL', $targetTableAlias, $column);
     }
diff --git a/src/Doctrine/Listener/BlameableListener.php b/src/Doctrine/Listener/BlameableListener.php
@@ -41,10 +41,17 @@ public function onFlush(OnFlushEventArgs $args): void
             }
         }
 
+        if (null === $user) {
+            return;
+        }
+
         foreach ($uow->getScheduledEntityUpdates() as $entity) {
             if (!$entity instanceof BlameableInterface) {
                 continue;
             }
+            if ($entity->getModifiedBy() === $user) {
+                continue;
+            }
             $entity->setModifiedBy($user);
             $uow->recomputeSingleEntityChangeSet($em->getClassMetadata($entity::class), $entity);
         }
diff --git a/src/Doctrine/Listener/SoftDeleteListener.php b/src/Doctrine/Listener/SoftDeleteListener.php
@@ -33,6 +33,8 @@ public function onFlush(OnFlushEventArgs $args): void
             $entity->setDeletedAt($now);
 
             $meta = $em->getClassMetadata($entity::class);
+            // remove() left the entity in STATE_REMOVED; persist() brings it back to
+            // STATE_MANAGED so scheduleExtraUpdate() will accept it.
             $em->persist($entity);
             $uow->scheduleExtraUpdate($entity, [
                 'deletedAt' => [null, $now],
@@ -43,6 +45,12 @@ public function onFlush(OnFlushEventArgs $args): void
         }
     }
 
+    /**
+     * Doctrine ORM 3 has no public API to cancel a scheduled deletion, so we reach into
+     * the UnitOfWork's private $entityDeletions map and remove the entry directly. The
+     * composer.json constraint pins doctrine/orm to ^3 — if that constraint is widened,
+     * verify this property still exists (see SoftDeleteListenerInternalsTest).
+     */
     private static function cancelDeletion(UnitOfWork $uow, object $entity): void
     {
         $ref = new \ReflectionProperty(UnitOfWork::class, 'entityDeletions');
diff --git a/src/Entity/Trait/TimestampableTrait.php b/src/Entity/Trait/TimestampableTrait.php
@@ -14,6 +14,9 @@ trait TimestampableTrait
     #[ORM\Column(type: 'datetime_immutable')]
     private \DateTimeImmutable $updatedAt;
 
+    // Properties are filled by TimestampableListener on first flush, so they may be
+    // uninitialized between `new Entity()` and `$em->flush()`. `?? null` is safe on
+    // uninitialized typed properties (PHP 8+) and lets callers null-check before flush.
     public function getCreatedAt(): ?\DateTimeImmutable
     {
         return $this->createdAt ?? null;
diff --git a/src/Privacy/StrategyApplier.php b/src/Privacy/StrategyApplier.php
@@ -19,10 +19,10 @@ public function apply(Strategy $strategy, mixed $value, ?string $replacement = n
         return match ($strategy) {
             Strategy::NullValue => null,
             Strategy::Redact => $replacement ?? '[REDACTED]',
-            Strategy::Hash => null === $value ? null : hash('sha256', (string) $value),
+            Strategy::Hash => null === $value ? null : hash('sha256', (string) $value.$this->pepper),
             Strategy::Pseudonymize => null === $value
                 ? null
-                : 'user_'.substr(sha1((string) $value.$this->pepper), 0, 12),
+                : 'user_'.substr(hash('sha256', (string) $value.$this->pepper), 0, 12),
         };
     }
 }
diff --git a/tests/Fixtures/Inheritance/GrandchildLeaf.php b/tests/Fixtures/Inheritance/GrandchildLeaf.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ITKDev\EntityBundle\Tests\Fixtures\Inheritance;
+
+use ITKDev\EntityBundle\Audit\Attribute\Auditable;
+
+/**
+ * Concrete leaf two levels below the class carrying #[ITKDevEntity]. The bundle's
+ * parent-chain walk must reach Grandparent for this class to be discovered.
+ */
+#[Auditable]
+final class GrandchildLeaf extends IntermediateParent
+{
+}
diff --git a/tests/Fixtures/Inheritance/Grandparent.php b/tests/Fixtures/Inheritance/Grandparent.php
@@ -0,0 +1,16 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ITKDev\EntityBundle\Tests\Fixtures\Inheritance;
+
+use ITKDev\EntityBundle\Attribute\ITKDevEntity;
+
+/**
+ * Grandparent in a 3-level inheritance chain used to verify that
+ * ITKDevEntityExtension::hasITKDevEntityAttribute() walks past direct parents.
+ */
+#[ITKDevEntity]
+abstract class Grandparent
+{
+}
diff --git a/tests/Fixtures/Inheritance/IntermediateParent.php b/tests/Fixtures/Inheritance/IntermediateParent.php
@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ITKDev\EntityBundle\Tests\Fixtures\Inheritance;
+
+abstract class IntermediateParent extends Grandparent
+{
+}
diff --git a/tests/Integration/AbstractITKDevEntityIntegrationTest.php b/tests/Integration/AbstractITKDevEntityIntegrationTest.php
@@ -98,6 +98,82 @@ public function testBlameableTolelratesNullSecurityContext(): void
         self::assertNull($entity->getModifiedBy());
     }
 
+    public function testBlameablePreservesModifiedByWhenUpdateRunsLoggedOut(): void
+    {
+        $alice = new TestUser();
+        $this->em->persist($alice);
+        $this->em->flush();
+
+        $this->loginAs($alice);
+
+        $entity = new FixtureEntity();
+        $this->em->persist($entity);
+        $this->em->flush();
+        self::assertSame($alice->getId(), $this->blameId($entity->getModifiedBy()));
+
+        // Mimic a worker / cron flush: no security token.
+        $this->logout();
+        $entity->setLabel('mutated-by-worker');
+        $this->em->flush();
+
+        self::assertSame(
+            $alice->getId(),
+            $this->blameId($entity->getModifiedBy()),
+            'modifiedBy must not be wiped when an update flushes without an authenticated user',
+        );
+    }
+
+    public function testSoftDeleteAndArchivableFiltersCompose(): void
+    {
+        $live = new FixtureEntity();
+        $live->setLabel('live');
+
+        $archivedOnly = new FixtureEntity();
+        $archivedOnly->setLabel('archived');
+        $archivedOnly->archive(new \DateTimeImmutable('2025-01-01'));
+
+        $softDeletedOnly = new FixtureEntity();
+        $softDeletedOnly->setLabel('soft-deleted');
+
+        $both = new FixtureEntity();
+        $both->setLabel('both');
+        $both->archive(new \DateTimeImmutable('2025-01-01'));
+
+        $this->em->persist($live);
+        $this->em->persist($archivedOnly);
+        $this->em->persist($softDeletedOnly);
+        $this->em->persist($both);
+        $this->em->flush();
+
+        $this->em->remove($softDeletedOnly);
+        $this->em->remove($both);
+        $this->em->flush();
+        $this->em->clear();
+
+        // soft_delete on (default), archivable off (default) -> live + archivedOnly visible.
+        $visible = $this->labelsOf($this->em->getRepository(FixtureEntity::class)->findAll());
+        sort($visible);
+        self::assertSame(['archived', 'live'], $visible);
+
+        // Both filters on -> only `live`.
+        $this->em->getFilters()->enable('archivable');
+        $this->em->clear();
+        $visible = $this->labelsOf($this->em->getRepository(FixtureEntity::class)->findAll());
+        self::assertSame(['live'], $visible);
+
+        // soft_delete off, archivable on -> live + soft-deleted.
+        $this->em->getFilters()->disable('soft_delete');
+        $this->em->clear();
+        $visible = $this->labelsOf($this->em->getRepository(FixtureEntity::class)->findAll());
+        sort($visible);
+        self::assertSame(['live', 'soft-deleted'], $visible);
+
+        // Both off -> all four.
+        $this->em->getFilters()->disable('archivable');
+        $this->em->clear();
+        self::assertCount(4, $this->em->getRepository(FixtureEntity::class)->findAll());
+    }
+
     public function testRemoveTriggersSoftDeleteAndFilterHidesRow(): void
     {
         $entity = new FixtureEntity();
@@ -170,6 +246,16 @@ public function testArchivableFilterHidesArchivedRowsWhenEnabled(): void
         self::assertSame('live', $visible[0]->getLabel());
     }
 
+    /**
+     * @param list<FixtureEntity> $entities
+     *
+     * @return list<string>
+     */
+    private function labelsOf(array $entities): array
+    {
+        return array_values(array_filter(array_map(static fn (FixtureEntity $e): ?string => $e->getLabel(), $entities)));
+    }
+
     private function blameId(?UserInterface $user): ?Ulid
     {
         if (null === $user) {
diff --git a/tests/Unit/DependencyInjection/ITKDevEntityDiscoveryTest.php b/tests/Unit/DependencyInjection/ITKDevEntityDiscoveryTest.php
@@ -8,6 +8,7 @@
 use ITKDev\EntityBundle\Tests\Fixtures\Entity\AttributeOnlyEntity;
 use ITKDev\EntityBundle\Tests\Fixtures\Entity\FixtureEntity;
 use ITKDev\EntityBundle\Tests\Fixtures\Entity\NonAuditableEntity;
+use ITKDev\EntityBundle\Tests\Fixtures\Inheritance\GrandchildLeaf;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
@@ -41,6 +42,29 @@ public function testAbstractITKDevEntitySubclassesStillDiscovered(): void
         self::assertArrayHasKey(FixtureEntity::class, $entities);
     }
 
+    public function testInheritedITKDevEntityAttributeReachesGrandchild(): void
+    {
+        $container = new ContainerBuilder();
+        $container->setParameter('kernel.project_dir', \dirname(__DIR__, 3));
+        $container->registerExtension(new ITKDevEntityExtension());
+        $container->prependExtensionConfig('itk_dev_entity', [
+            'user_class' => 'App\\Entity\\User',
+            'audit' => ['enabled' => true],
+            // Point only at the inheritance fixtures so unrelated entities are out of scope.
+            'entity_paths' => ['%kernel.project_dir%/tests/Fixtures/Inheritance'],
+        ]);
+
+        (new ITKDevEntityExtension())->prepend($container);
+
+        $auditor = $container->getExtensionConfig('dh_auditor');
+        $entities = $auditor[0]['providers']['doctrine']['entities'] ?? [];
+
+        // GrandchildLeaf -> IntermediateParent -> Grandparent[#[ITKDevEntity]].
+        // The chain walk in hasITKDevEntityAttribute() must reach the grandparent
+        // for the leaf to be discovered.
+        self::assertArrayHasKey(GrandchildLeaf::class, $entities);
+    }
+
     public function testUnmarkedEntitiesNotInAuditorConfig(): void
     {
         $extension = new ITKDevEntityExtension();
diff --git a/tests/Unit/Doctrine/Listener/SoftDeleteListenerInternalsTest.php b/tests/Unit/Doctrine/Listener/SoftDeleteListenerInternalsTest.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ITKDev\EntityBundle\Tests\Unit\Doctrine\Listener;
+
+use Doctrine\ORM\UnitOfWork;
+use PHPUnit\Framework\TestCase;
+
+/**
+ * Guards the private-property access in SoftDeleteListener::cancelDeletion(): if Doctrine
+ * ever renames or removes UnitOfWork::$entityDeletions, soft-delete would silently degrade
+ * to a hard delete. This test fails loudly instead.
+ */
+final class SoftDeleteListenerInternalsTest extends TestCase
+{
+    public function testUnitOfWorkStillHasEntityDeletionsProperty(): void
+    {
+        self::assertTrue(
+            (new \ReflectionClass(UnitOfWork::class))->hasProperty('entityDeletions'),
+            'Doctrine UnitOfWork no longer exposes $entityDeletions — SoftDeleteListener::cancelDeletion() needs updating.',
+        );
+    }
+}
diff --git a/tests/Unit/Privacy/AuditRetentionPolicyTest.php b/tests/Unit/Privacy/AuditRetentionPolicyTest.php
diff --git a/tests/Unit/Privacy/StrategyApplierTest.php b/tests/Unit/Privacy/StrategyApplierTest.php

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ public function addFilterConstraint(ClassMetadata $targetEntity, string $targetT`
`16`	`16`	`return '';`
`17`	`17`	`}`
`18`	`18`
`19`		`- $column = $targetEntity->getColumnName('archivedAt');`
	`19`	`+ $column = $this->getConnection()->quoteIdentifier($targetEntity->getColumnName('archivedAt'));`
`20`	`20`
`21`	`21`	`return sprintf('%s.%s IS NULL', $targetTableAlias, $column);`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,10 +41,17 @@ public function onFlush(OnFlushEventArgs $args): void`
`41`	`41`	`}`
`42`	`42`	`}`
`43`	`43`
	`44`	`+ if (null === $user) {`
	`45`	`+ return;`
	`46`	`+ }`
	`47`	`+`
`44`	`48`	`foreach ($uow->getScheduledEntityUpdates() as $entity) {`
`45`	`49`	`if (!$entity instanceof BlameableInterface) {`
`46`	`50`	`continue;`
`47`	`51`	`}`
	`52`	`+ if ($entity->getModifiedBy() === $user) {`
	`53`	`+ continue;`
	`54`	`+ }`
`48`	`55`	`$entity->setModifiedBy($user);`
`49`	`56`	`$uow->recomputeSingleEntityChangeSet($em->getClassMetadata($entity::class), $entity);`
`50`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,8 @@ public function onFlush(OnFlushEventArgs $args): void`
`33`	`33`	`$entity->setDeletedAt($now);`
`34`	`34`
`35`	`35`	`$meta = $em->getClassMetadata($entity::class);`
	`36`	`+ // remove() left the entity in STATE_REMOVED; persist() brings it back to`
	`37`	`+ // STATE_MANAGED so scheduleExtraUpdate() will accept it.`
`36`	`38`	`$em->persist($entity);`
`37`	`39`	`$uow->scheduleExtraUpdate($entity, [`
`38`	`40`	`'deletedAt' => [null, $now],`
`@@ -43,6 +45,12 @@ public function onFlush(OnFlushEventArgs $args): void`
`43`	`45`	`}`
`44`	`46`	`}`
`45`	`47`
	`48`	`+ /**`
	`49`	`+ * Doctrine ORM 3 has no public API to cancel a scheduled deletion, so we reach into`
	`50`	`+ * the UnitOfWork's private $entityDeletions map and remove the entry directly. The`
	`51`	`+ * composer.json constraint pins doctrine/orm to ^3 — if that constraint is widened,`
	`52`	`+ * verify this property still exists (see SoftDeleteListenerInternalsTest).`
	`53`	`+ */`
`46`	`54`	`private static function cancelDeletion(UnitOfWork $uow, object $entity): void`
`47`	`55`	`{`
`48`	`56`	`$ref = new \ReflectionProperty(UnitOfWork::class, 'entityDeletions');`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,9 @@ trait TimestampableTrait`
`14`	`14`	`#[ORM\Column(type: 'datetime_immutable')]`
`15`	`15`	`private \DateTimeImmutable $updatedAt;`
`16`	`16`
	`17`	`+ // Properties are filled by TimestampableListener on first flush, so they may be`
	`18`	+ // uninitialized between `new Entity()` and `$em->flush()`. `?? null` is safe on
	`19`	`+ // uninitialized typed properties (PHP 8+) and lets callers null-check before flush.`
`17`	`20`	`public function getCreatedAt(): ?\DateTimeImmutable`
`18`	`21`	`{`
`19`	`22`	`return $this->createdAt ?? null;`
Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,10 @@ public function apply(Strategy $strategy, mixed $value, ?string $replacement = n`
`19`	`19`	`return match ($strategy) {`
`20`	`20`	`Strategy::NullValue => null,`
`21`	`21`	`Strategy::Redact => $replacement ?? '[REDACTED]',`
`22`		`- Strategy::Hash => null === $value ? null : hash('sha256', (string) $value),`
	`22`	`+ Strategy::Hash => null === $value ? null : hash('sha256', (string) $value.$this->pepper),`
`23`	`23`	`Strategy::Pseudonymize => null === $value`
`24`	`24`	`? null`
`25`		`- : 'user_'.substr(sha1((string) $value.$this->pepper), 0, 12),`
	`25`	`+ : 'user_'.substr(hash('sha256', (string) $value.$this->pepper), 0, 12),`
`26`	`26`	`};`
`27`	`27`	`}`
`28`	`28`	`}`