fix subdomain security

src/Doctrine/Organization/CurrentOrganizationSubdomainExtension.php

@@ -0,0 +1,35 @@
+<?php
+declare(strict_types=1);
+
+namespace App\Doctrine\Organization;
+
+use App\Doctrine\AbstractExtension;
+use App\Entity\Access\Access;
+use App\Entity\Organization\Subdomain;
+use Doctrine\ORM\QueryBuilder;
+use Symfony\Bundle\SecurityBundle\Security;
+
+/**
+ * Class CurrentOrganizationExtension : Filtre de sécurité par défaut pour une resource Organization
+ * @package App\Doctrine\Core
+ */
+final class CurrentOrganizationSubdomainExtension extends AbstractExtension
+{
+    public function __construct(private Security $security)
+    { }
+
+    protected function addWhere(QueryBuilder $queryBuilder, string $resourceClass): void
+    {
+        if (Subdomain::class !== $resourceClass) {
+            return;
+        }
+
+        /** @var Access $currentUser */
+        $currentUser = $this->security->getUser();
+        $rootAlias = $queryBuilder->getRootAliases()[0];
+        $queryBuilder
+            ->andWhere(sprintf('%s.organization = :organization', $rootAlias))
+            ->setParameter('organization', $currentUser->getOrganization()->getId())
+        ;
+    }
+}

src/Entity/Organization/Subdomain.php

@@ -22,6 +22,9 @@ use Symfony\Component\Validator\Constraints as Assert;
 
 /**
  * Sous-domaine enregistré par une organisation
+ *
+ * Security:
+ *   @see \App\Doctrine\Organization\CurrentOrganizationSubdomainExtension
  */
 #[ApiResource(
     operations: [
@@ -32,7 +35,9 @@ use Symfony\Component\Validator\Constraints as Assert;
             security: 'is_granted("ROLE_ORGANIZATION") and object.getOrganization().getId() == user.getOrganization().getId()'
         ),
         new GetCollection(),
-        new Post()
+        new Post(
+            security: 'is_granted("ROLE_ORGANIZATION") and object.getOrganization().getId() == user.getOrganization().getId()'
+        )
     ],
     processor: SubdomainProcessor::class
 )]