Merge remote-tracking branch 'origin/alpha' into feat/issue-3186-public-referents

# Conflicts:
#	packages/app/src/server/audit/trpcMiddleware.ts

Author: LucasCharrier

packages/app/drizzle/0027_add_global_settings.sql

@@ -0,0 +1,16 @@
+-- Add optional campaign milestone dates to the per-year campaign_deadline table.
+ALTER TABLE "app_campaign_deadline"
+  ADD COLUMN IF NOT EXISTS "gip_publication_date" date;
+--> statement-breakpoint
+ALTER TABLE "app_campaign_deadline"
+  ADD COLUMN IF NOT EXISTS "campaign_start_date" date;
+--> statement-breakpoint
+
+-- Create the singleton global_setting table used for platform-wide variables
+-- (currently: the active campaign year). Access is gated by adminProcedure.
+CREATE TABLE IF NOT EXISTS "app_global_setting" (
+  "id" integer PRIMARY KEY DEFAULT 1,
+  "active_campaign_year" integer,
+  "updated_at" timestamp with time zone NOT NULL DEFAULT now(),
+  "updated_by" varchar(255) REFERENCES "app_user"("id") ON DELETE SET NULL
+);

packages/app/drizzle/meta/_journal.json

@@ -190,6 +190,13 @@
 			"when": 1775800000000,
 			"tag": "0026_add_referents_table",
 			"breakpoints": true
+		},
+		{
+			"idx": 27,
+			"version": "7",
+			"when": 1775900000000,
+			"tag": "0027_add_global_settings",
+			"breakpoints": true
 		}
 	]
 }

packages/app/src/app/admin/parametres/page.tsx

@@ -0,0 +1,5 @@
+import { AdminSettingsPage } from "~/modules/admin/settings";
+
+export default function Page() {
+	return <AdminSettingsPage />;
+}

packages/app/src/app/aide/page.tsx

@@ -8,6 +8,9 @@ export const metadata: Metadata = {
 		"Retrouvez toutes les ressources pour comprendre et réaliser votre déclaration des indicateurs d'égalité professionnelle.",
 };
 
+// Reads live campaign settings from the DB (admins can change them anytime).
+export const dynamic = "force-dynamic";
+
 export default function Page() {
 	return <AidePage />;
 }

packages/app/src/app/api/upload/__tests__/route.test.ts

@@ -108,6 +108,39 @@ describe("POST /api/upload", () => {
 		);
 	});
 
+	it("returns 403 and audits a failure row when the admin is impersonating", async () => {
+		mocks.auth.mockResolvedValue({
+			user: {
+				id: "admin-1",
+				email: "admin@example.com",
+				siret: "12345678901234",
+				isAdmin: true,
+				impersonation: { siren: "987654321", name: "Acme" },
+			},
+		});
+
+		const { POST } = await import("../route");
+		const response = await POST(
+			buildRequest({
+				"Content-Type": "application/pdf",
+				"X-Filename": "f.pdf",
+				"X-Flow-Type": "cse_opinion",
+			}),
+		);
+
+		expect(response.status).toBe(403);
+		const body = await response.json();
+		expect(body.error).toContain("mimoquage");
+		expect(mocks.runUploadPipeline).not.toHaveBeenCalled();
+		expect(mocks.logAction).toHaveBeenCalledWith(
+			expect.objectContaining({
+				action: "cse_opinion.upload_file",
+				status: "failure",
+				errorMessage: "HTTP 403 impersonation_read_only",
+			}),
+		);
+	});
+
 	it("returns 400 when X-Filename is missing", async () => {
 		validSession();
 		const { POST } = await import("../route");

packages/app/src/app/api/upload/route.ts

@@ -93,6 +93,31 @@ export async function POST(request: Request): Promise<Response> {
 	const userId = session.user.id ?? null;
 	const userEmail = session.user.email ?? null;
 
+	// Admin impersonation is a read-only support mode: file uploads are
+	// refused server-side (UI hides the button) so the admin cannot write
+	// files in the user's name (issue #3230).
+	if (session.user.impersonation) {
+		writeFailure({
+			action,
+			flowType,
+			fileName: request.headers.get("x-filename"),
+			fileId: null,
+			errorMessage: "HTTP 403 impersonation_read_only",
+			userId,
+			userEmail,
+			siren,
+			requestContext,
+			startedAt,
+		});
+		return Response.json(
+			{
+				error:
+					"Mode mimoquage actif : l'envoi de fichier est désactivé en lecture seule.",
+			},
+			{ status: 403 },
+		);
+	}
+
 	const fileName = request.headers.get("x-filename");
 	if (!fileName) {
 		writeFailure({

packages/app/src/e2e/admin-impersonation-read-only.e2e.ts

@@ -0,0 +1,72 @@
+import { expect, test } from "@playwright/test";
+
+import {
+	ensureCurrentYearDeclaration,
+	resetDeclarationToDraft,
+} from "./helpers/db";
+
+const TEST_SIREN = "130025265";
+
+test.describe("admin impersonation — read-only guards", () => {
+	test.beforeEach(async () => {
+		// A declaration row must exist before impersonation starts, because
+		// `declaration.getOrCreate` blocks the insert branch during mimoquage
+		// (issue #3230). The server component on step 1 calls getOrCreate on
+		// every render and would otherwise throw FORBIDDEN.
+		await ensureCurrentYearDeclaration();
+		await resetDeclarationToDraft();
+	});
+
+	test.afterEach(async ({ page }) => {
+		// Best-effort stop of any impersonation left over so the next test
+		// (or the next describe block) starts from a clean session.
+		await page.goto("/admin/impersonate");
+		const stopBtn = page.getByRole("button", { name: /arrêter le mimoquage/i });
+		if (await stopBtn.isVisible({ timeout: 1_000 }).catch(() => false)) {
+			await stopBtn.click();
+		}
+	});
+
+	test("form submit is disabled with a read-only tooltip during mimoquage", async ({
+		page,
+	}) => {
+		await page.goto("/admin/impersonate");
+		await page.getByLabel("SIREN de l'entreprise").fill(TEST_SIREN);
+		await page.getByRole("button", { name: "Rechercher" }).click();
+		await page.getByRole("button", { name: /valider et mimoquer/i }).click();
+
+		await page.waitForURL("**/mon-espace");
+		await expect(page.getByText(/vous mimoquez l'entreprise/i)).toBeVisible();
+
+		await page.goto("/declaration-remuneration/etape/1");
+
+		const submitButton = page.getByRole("button", { name: /suivant/i });
+		await expect(submitButton).toBeVisible();
+		await expect(submitButton).toBeDisabled();
+		const tooltipId = await submitButton.getAttribute("aria-describedby");
+		expect(tooltipId).not.toBeNull();
+		await expect(page.locator(`#${tooltipId}`)).toContainText(/mimoquage/i);
+	});
+
+	test("file upload endpoint returns 403 during impersonation", async ({
+		page,
+	}) => {
+		await page.goto("/admin/impersonate");
+		await page.getByLabel("SIREN de l'entreprise").fill(TEST_SIREN);
+		await page.getByRole("button", { name: "Rechercher" }).click();
+		await page.getByRole("button", { name: /valider et mimoquer/i }).click();
+		await page.waitForURL("**/mon-espace");
+
+		const response = await page.request.post("/api/upload", {
+			headers: {
+				"content-type": "application/pdf",
+				"x-filename": "impersonated.pdf",
+				"x-flow-type": "cse_opinion",
+			},
+			data: Buffer.from("%PDF-"),
+		});
+		expect(response.status()).toBe(403);
+		const body = await response.json();
+		expect(body.error).toMatch(/mimoquage/i);
+	});
+});

packages/app/src/e2e/admin.e2e.ts

@@ -18,3 +18,24 @@ test("admin user can access /admin/impersonate and sees impersonate page", async
 		page.getByRole("heading", { name: "Mimoquer une entreprise", level: 1 }),
 	).toBeVisible();
 });
+
+test("admin user can access /admin/parametres and sees settings page", async ({
+	page,
+}) => {
+	await page.goto("/admin/parametres");
+	await expect(
+		page.getByRole("heading", {
+			name: "Paramètres de la plateforme",
+			level: 1,
+		}),
+	).toBeVisible();
+	await expect(
+		page.getByRole("heading", { name: "Année de campagne active", level: 2 }),
+	).toBeVisible();
+	await expect(
+		page.getByRole("heading", { name: "Échéances de campagne", level: 2 }),
+	).toBeVisible();
+	await expect(
+		page.getByRole("spinbutton", { name: /année de campagne active/i }),
+	).toBeVisible();
+});

packages/app/src/e2e/helpers/db.ts

@@ -8,6 +8,42 @@ function createConnection() {
 	return postgres(url, { max: 1 });
 }
 
+/**
+ * Ensure a draft declaration row exists for the test SIREN and the current
+ * year. Used by tests that can't rely on `getOrCreate` to lazily insert
+ * the row — e.g. the admin-impersonation scenario, where the insert branch
+ * is blocked server-side.
+ */
+export async function ensureCurrentYearDeclaration() {
+	const sql = createConnection();
+	try {
+		const users = await sql`
+			SELECT user_id FROM app_user_company WHERE siren = ${TEST_SIREN} LIMIT 1
+		`;
+		const userId = users[0]?.user_id as string | undefined;
+		if (!userId) return;
+		await sql`
+			INSERT INTO app_declaration (
+				id, siren, year, declarant_id, current_step, status,
+				created_at, updated_at
+			)
+			VALUES (
+				gen_random_uuid(),
+				${TEST_SIREN},
+				EXTRACT(YEAR FROM CURRENT_DATE)::int,
+				${userId},
+				1,
+				'draft',
+				NOW(),
+				NOW()
+			)
+			ON CONFLICT ON CONSTRAINT declaration_siren_year_idx DO NOTHING
+		`;
+	} finally {
+		await sql.end();
+	}
+}
+
 /**
  * Reset the test declaration to draft and clean all associated data
  * so a new full flow can be tested from scratch.

packages/app/src/modules/admin/AdminNavigation.tsx

@@ -7,6 +7,7 @@ const adminLinks = [
 	{ href: "/admin", label: "Accueil" },
 	{ href: "/admin/impersonate", label: "Mimoquer un Siren" },
 	{ href: "/admin/liste-referents", label: "Référents" },
+	{ href: "/admin/parametres", label: "Paramètres" },
 ] as const;
 
 export function AdminNavigation() {