fix doctrine bug with emails and subdomains security

src/Entity/Message/AbstractMessage.php

@@ -19,14 +19,6 @@ use Symfony\Bridge\Doctrine\Types\UuidType;
 #[OrganizationDefaultValue(fieldName: "organization")]
 abstract class AbstractMessage
 {
-    #[ORM\Id]
-    #[ORM\Column]
-    #[ORM\GeneratedValue]
-    protected ?int $id = null;
-
-    #[ORM\Column(length: 255, nullable: false)]
-    protected string $discr;
-
     /**
      * @var UuidInterface|null
      */
@@ -35,6 +27,20 @@ abstract class AbstractMessage
     #[ORM\CustomIdGenerator(class: UuidGenerator::class)]
     protected ?UuidInterface $uuid = null;
 
+    /**
+     * IMPORTANT! Cette propriété doit être déclarée après l'uuid, pour prévenir un bug doctrine
+     * @see https://github.com/doctrine/orm/issues/7215
+     *
+     * @var int|null
+     */
+    #[ORM\Id]
+    #[ORM\Column]
+    #[ORM\GeneratedValue]
+    protected ?int $id = null;
+
+    #[ORM\Column(length: 255, nullable: false)]
+    protected string $discr;
+
     #[ORM\ManyToOne]
     #[ORM\JoinColumn(nullable: true)]
     protected Organization $organization;

src/Entity/Organization/Subdomain.php

@@ -36,7 +36,7 @@ use Symfony\Component\Validator\Constraints as Assert;
         ),
         new GetCollection(),
         new Post(
-            security: 'is_granted("ROLE_ORGANIZATION") and object.getOrganization().getId() == user.getOrganization().getId()'
+            security: 'is_granted("ROLE_ORGANIZATION")'
         )
     ],
     processor: SubdomainProcessor::class

src/State/Processor/Organization/SubdomainProcessor.php

@@ -12,6 +12,7 @@ use App\Entity\Organization\Subdomain;
 use App\Repository\Organization\SubdomainRepository;
 use App\Service\Typo3\SubdomainService;
 use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\SecurityBundle\Security;
 
 /**
  * Custom Processor gérant la resource Subdomain
@@ -19,7 +20,8 @@ use Doctrine\ORM\EntityManagerInterface;
 class SubdomainProcessor implements ProcessorInterface
 {
     public function __construct(
-        private readonly SubdomainService $subdomainService
+        private readonly SubdomainService $subdomainService,
+        private Security $security
     ) {}
 
     /**
@@ -36,6 +38,12 @@ class SubdomainProcessor implements ProcessorInterface
             throw new \RuntimeException('not supported', 500);
         }
 
+        $access = $this->security->getUser();
+        if ($data->getOrganization()->getId() !== $access->getOrganization()->getId()) {
+            // TODO: voir à déplacer dans un voter?
+            throw new \RuntimeException('forbidden', 500);
+        }
+
         if ($operation instanceof Post) {
             // Create a new subdomain
             $subdomain = $this->subdomainService->addNewSubdomain(