#1344

composer.lock

 {
     "_readme": [
         "This file locks the dependencies of your project to a known state",
-        "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
     "hash": "748ee1c993c5f0ae90ee21769545e4da",

data/Sql/Rôles.sql

@@ -102,15 +102,3 @@ select * from individu_fonct_struct@harpprod ifs where no_dossier_pers = 16956;
 
 
 select * from individu@harpprod where nom_usuel = 'DENOYES';
-
-
-
-select
-r.code categorie,
-p.code privilege,
-p.id   p_id
-from
-  privilege p
-  join categorie_privilege r on r.id = p.categorie_id
-order by
-  categorie, privilege
\ No newline at end of file

data/Sql/intervenant_suppression.sql

+
+
+
+-- paiements
+select * from mise_en_paiement
+--;delete from mise_en_paiement
+--;update mise_en_paiement set histo_destructeur_id = 4, histo_destruction=sysdate
+where formule_res_service_id IN (
+  select id from formule_resultat_service where service_id IN (
+    select id from service where intervenant_id IN (
+      select id from intervenant where source_code = '100733'
+    )
+  )
+);
+
+
+-- contrats
+select * from contrat
+--;delete from contrat
+--;update contrat set histo_destructeur_id = 4, histo_destruction=sysdate
+where intervenant_id IN (
+  select id from intervenant where source_code = '100733'
+);
+
+
+-- validations de volumes_horaires
+select * from validation_vol_horaire
+--;delete from validation_vol_horaire
+where volume_horaire_id IN (
+  select id FROM volume_horaire WHERE service_id IN (
+    select id from service where intervenant_id IN (
+      select id from intervenant where source_code = '100733'
+    )
+  )
+);
+
+
+-- volumes horaires
+select * from volume_horaire
+--;delete from volume_horaire
+--;update volume_horaire set histo_destructeur_id = 4, histo_destruction=sysdate
+where service_id IN (
+  select id from service where intervenant_id IN (
+    select id from intervenant where source_code = '100733'
+  )
+);
+
+
+-- services
+select * from service
+--;delete from service
+--;update service set histo_destructeur_id = 4, histo_destruction=sysdate
+where intervenant_id IN (
+  select id from intervenant where source_code = '100733'
+);
+
+
+-- intervenant
+select * from intervenant
+--;delete from intervenant
+--;update intervenant set histo_destructeur_id = 4, histo_destruction=sysdate
+where source_code = '100733';
\ No newline at end of file

data/Sql/privileges.sql

+  
+  
+INSERT INTO CATEGORIE_PRIVILEGE (
+  ID,
+  CODE,
+  LIBELLE
+) VALUES (
+  CATEGORIE_PRIVILEGE_ID_SEQ.nextval,
+  'modification-service-du',
+  'Modification de service dû'
+);
+
+INSERT INTO PRIVILEGE (
+  ID,
+  CATEGORIE_ID,
+  CODE,
+  LIBELLE
+) VALUES (
+  privilege_id_seq.nextval,
+  (SELECT id FROM CATEGORIE_PRIVILEGE WHERE code = 'modif-service-du' ),
+  'association',
+  'Association'
+);
+
+INSERT INTO PRIVILEGE (
+  ID,
+  CATEGORIE_ID,
+  CODE,
+  LIBELLE
+) VALUES (
+  privilege_id_seq.nextval,
+  (SELECT id FROM CATEGORIE_PRIVILEGE WHERE code = 'modif-service-du' ),
+  'visualisation',
+  'Visualisation'
+);
+
+INSERT INTO PRIVILEGE (
+  ID,
+  CATEGORIE_ID,
+  CODE,
+  LIBELLE
+) VALUES (
+  privilege_id_seq.nextval,
+  (SELECT id FROM CATEGORIE_PRIVILEGE WHERE code = 'modif-service-du' ),
+  'edition',
+  'Édition'
+);
+
+INSERT INTO PRIVILEGE (
+  ID,
+  CATEGORIE_ID,
+  CODE,
+  LIBELLE
+) VALUES (
+  privilege_id_seq.nextval,
+  (SELECT id FROM CATEGORIE_PRIVILEGE WHERE code = 'mise-en-paiement' ),
+  'export-paie',
+  'Export vers le logiciel de paie'
+);
+
+select
+  cp.code categorie,
+  p.code privilege
+from
+  privilege p
+  join categorie_privilege cp on cp.id = p.categorie_id
+order by
+  categorie, privilege
\ No newline at end of file

module/Application/config/gestion.config.php

@@ -113,14 +113,14 @@ return [
                                         'title'  => "Gestion des rôles",
                                         'route'  => 'gestion/droits/roles',
                                         'withtarget' => true,
-                                        'resource' => 'controller/Application\Controller\Gestion:roles',
+                                        'resource' => 'privilege/privilege-visualisation',
                                     ],
                                     'privileges' => [
                                         'label'  => "Privilèges",
                                         'title'  => "Gestion des privilèges",
                                         'route'  => 'gestion/droits/privileges',
                                         'withtarget' => true,
-                                        'resource' => 'controller/Application\Controller\Gestion:privileges',
+                                        'resource' => 'privilege/privilege-visualisation',
                                     ],
                                 ],
                             ],
@@ -143,7 +143,7 @@ return [
                 [
                     'controller' => 'Application\Controller\Gestion',
                     'action'     => ['droits', 'roles', 'privileges'],
-                    'privileges' => ['privilege-visualisation', 'privilege-edition']
+                    'privileges' => ['privilege-visualisation', 'privilege-edition'],
                 ],
                 [
                     'controller' => 'Application\Controller\Gestion',

module/Application/config/module.config.php

@@ -179,6 +179,9 @@ $main =  [
                     'Application\\Acl\\IntervenantPermanentRole',
             ],
         ],
+        'resource_providers' => [
+            'ApplicationPrivilege' => [],
+        ],
     ],
     'service_manager' => [
         'invokables' => [
@@ -197,12 +200,16 @@ $main =  [
             'ApplicationPays'                                => 'Application\\Service\\Pays',
             'ApplicationDepartement'                         => 'Application\\Service\\Departement',
             'IntervenantNavigationPageVisibility'            => 'Application\\Service\\IntervenantNavigationPageVisibility',
-            'ApplicationRuleProvider'                        => 'Application\Provider\Rule\RuleProvider',
+            'TestAssertion'                                  => 'Application\\Assertion\\TestAssertion',
         ],
+        'aliases' => array(
+            'PrivilegeProvider'                              => 'ApplicationPrivilege'
+        ),
         'factories' => [
             'navigation'                  => 'Application\Service\NavigationFactoryFactory',
             'ApplicationRoleProvider'     => 'Application\Provider\Role\RoleProviderFactory',
             'ApplicationIdentityProvider' => 'Application\Provider\Identity\IdentityProviderFactory',
+            'BjyAuthorize\Service\Authorize' => 'Application\Service\AuthorizeFactory', // surcharge!!!
         ],
         'abstract_factories' => [
         ],

module/Application/config/paiement.config.php

@@ -2,6 +2,8 @@
 
 namespace Application;
 
+use Application\Entity\Db\Privilege;
+
 return [
     'router' => [
         'routes' => [
@@ -110,47 +112,52 @@ return [
     ],
     'bjyauthorize' => [
         'guards' => [
-            'BjyAuthorize\Guard\Controller' => [
+            'Application\Guard\PrivilegeController' => [
                 [
                     'controller' => 'Application\Controller\Paiement',
-                    'action'     => ['index','demandeMiseEnPaiement','etatPaiement','misesEnPaiementCsv'],
-                    'roles'      => [R_COMPOSANTE, R_ADMINISTRATEUR, R_DRH],
+                    'action'     => ['index','etatPaiement','misesEnPaiementCsv'],
+                    'privileges' => [
+                        Privilege::MISE_EN_PAIEMENT_DEMANDE,
+                        Privilege::MISE_EN_PAIEMENT_VISUALISATION,
+                        Privilege::MISE_EN_PAIEMENT_VALIDATION,
+                    ],
+                    'assertion'  => 'MiseEnPaiementAssertion',
                 ],
                 [
                     'controller' => 'Application\Controller\Paiement',
-                    'action'     => ['miseEnPaiement','extractionWinpaie'],
-                    'roles'      => [R_ADMINISTRATEUR, R_DRH],
-                ],
-            ],
+                    'action'     => ['demandeMiseEnPaiement'],
+                    'privileges' => [Privilege::MISE_EN_PAIEMENT_DEMANDE],
+                    'assertion'  => 'MiseEnPaiementAssertion',
                 ],
-        'resource_providers' => [
-            'BjyAuthorize\Provider\Resource\Config' => [
-                'MiseEnPaiement' => [],
-            ],
-        ],
-        'rule_providers' => [
-            'BjyAuthorize\Provider\Rule\Config' => [
-                'allow' => [
                 [
-                        [R_ROLE],
-                        'MiseEnPaiement',
-                        [
-                            Assertion\MiseEnPaiementAssertion::PRIVILEGE_VISUALISATION,
-                            Assertion\MiseEnPaiementAssertion::PRIVILEGE_DEMANDE,
-                            Assertion\MiseEnPaiementAssertion::PRIVILEGE_VALIDATION,
-                            Assertion\MiseEnPaiementAssertion::PRIVILEGE_MISE_EN_PAIEMENT,
-                        ],
-                        Assertion\MiseEnPaiementAssertion::getAssertionId(),
+                    'controller' => 'Application\Controller\Paiement',
+                    'action'     => ['miseEnPaiement'],
+                    'privileges' => [Privilege::MISE_EN_PAIEMENT_MISE_EN_PAIEMENT]
                 ],
                 [
-                        [R_ADMINISTRATEUR, R_DRH],
-                        'MiseEnPaiement',
-                        ['export-csv-winpaie'],
-
-                    ],
-                ],
-            ],
-        ],
+                    'controller' => 'Application\Controller\Paiement',
+                    'action'     => ['extractionWinpaie'],
+                    'privileges' => [Privilege::MISE_EN_PAIEMENT_EXPORT_PAIE]
+                ],
+            ],
+        ],
+//        'rule_providers' => [
+//            'Application\Provider\Rule\RuleProvider' => [
+//                 'allow' => [
+//                    [
+//                        [
+//                            'mise-en-paiement-demande',
+//                            'mise-en-paiement-mise-en-paiement',
+//                            'mise-en-paiement-visualisation',
+//                            'mise-en-paiement-validation'
+//                        ],
+//                        'MiseEnPaiement',
+//                        [],
+//                        'MiseEnPaiementAssertion',
+//                    ]
+//                ],
+//            ],
+//        ],
     ],
     'service_manager' => [
         'invokables' => [

module/Application/config/service.config.php

@@ -236,7 +236,7 @@ return [
                     'controller' => 'Application\Controller\ServiceReferentiel',
                     'action' => ['index', 'saisie', 'suppression', 'rafraichir-ligne', 'constatation'],
                     'roles' => [R_ROLE],
-                ],
+                ]
             ],
         ],
         'resource_providers' => [
@@ -248,8 +248,16 @@ return [
             ],
         ],
         'rule_providers' => [
-            'BjyAuthorize\Provider\Rule\Config' => [
+            'Application\Provider\Rule\RuleProvider' => [
                  'allow' => [
+                    [
+                        'mep-visualisation',
+                        'Service',
+                        ['create', 'read', 'delete', 'update'],
+                        'ServiceAssertion',
+                    ]
+                ],
+                /*'allow' => [
                     [
                         [R_ROLE],
                         'Service',
@@ -274,7 +282,7 @@ return [
                         ['create', 'read', 'delete', 'update'],
                         'ServiceReferentielAssertion'
                     ]
-                ],
+                ],*/
             ],
         ],
     ],

module/Application/src/Application/Assertion/AbstractAssertion.php

@@ -2,8 +2,6 @@
 
 namespace Application\Assertion;
 
-use DateTime;
-use Application\Acl\IntervenantPermanentRole;
 use Zend\Mvc\MvcEvent;
 use Zend\Permissions\Acl\Acl;
 use Zend\Permissions\Acl\Assertion\AssertionInterface;
@@ -11,7 +9,6 @@ use Zend\Permissions\Acl\Resource\ResourceInterface;
 use Zend\Permissions\Acl\Role\RoleInterface;
 use Zend\ServiceManager\ServiceLocatorAwareInterface;
 use Zend\ServiceManager\ServiceLocatorAwareTrait;
-use Application\Acl\Role;
 
 /**
  * Description of AbstractAssertion
@@ -20,9 +17,7 @@ use Application\Acl\Role;
  */
 abstract class AbstractAssertion implements AssertionInterface, ServiceLocatorAwareInterface
 {
-    use ServiceLocatorAwareTrait,
-        \Application\Service\Traits\ContextAwareTrait
-    ;
+    use ServiceLocatorAwareTrait;
 
 
     const PRIVILEGE_CREATE = 'create';
@@ -30,40 +25,6 @@ abstract class AbstractAssertion implements AssertionInterface, ServiceLocatorAw
     const PRIVILEGE_UPDATE = 'update';
     const PRIVILEGE_DELETE = 'delete';
 
-    /**
-     * @var Acl
-     */
-    protected $acl;
-
-    /**
-     * copntrôle par les privileges activés ou non
-     *
-     * @var boolean
-     */
-    protected $assertPrivilegesEnabled = false;
-
-    /**
-     * contrôle par les ressources activés ou non
-     *
-     * @var boolean
-     */
-    protected $assertResourcesEnabled = true;
-
-    /**
-     * @var string
-     */
-    protected $privilege;
-
-    /**
-     * @var ResourceInterface|string
-     */
-    protected $resource;
-
-    /**
-     * @var RoleInterface
-     */
-    protected $role;
-
     /**
      * !!!! Pour éviter l'erreur "Serialization of 'Closure' is not allowed"... !!!!
      * 
@@ -89,112 +50,167 @@ abstract class AbstractAssertion implements AssertionInterface, ServiceLocatorAw
      */
     public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
     {
+        /** @deprecated */
         $this->acl       = $acl;
         $this->resource  = $resource;
         $this->privilege = $privilege;
-        $this->role      = $this->getSelectedIdentityRole();
+        $this->role      = $role;
+        /* fin de deprecated */
 
-        if (! $this->assertPrivilege()                              ) return false;
-        if (! $this->assertResource()                               ) return false;
-        return true;
-    }
+        // gestion des privilèges
+        if ($this->detectPrivilege($resource)){
+            if (! $this->assertPrivilege ($acl, $role, ltrim( strstr( $resource, '/' ), '/'), $privilege)) return false;
 
-    private function assertPrivilege()
-    {
-        if (! $this->assertPrivilegesEnabled) return true; // si pas activé alors on sort
-        if ($this->role instanceof Role && ! empty($this->resource) && ! empty($this->privilege)){
-            return $this->role->hasPrivilege($this->privilege, $this->resource);
-        }
-        return true;
-    }
+        // gestion des contrôleurs
+        }else if($this->detectController($resource)){
+            $spos = strpos($resource,'/')+1;
+            $dpos = strrpos($resource, ':')+1;
+            $controller = substr( $resource, $spos, $dpos-$spos-1);
+            $action = substr( $resource, $dpos );
+            if (! $this->assertController ($acl, $role, $controller, $action, $privilege)) return false;
 
-    private function assertResource()
-    {
-        if (! $this->assertResourcesEnabled) return true; // si pas activé alors on sort
-        if (! $this->resource instanceof ResourceInterface) return true; // pas assez de précisions
-        $resourceId = $this->resource->getResourceId();
+        // gestion des entités
+        }else if($this->detectEntity($resource)){
+            if (! $this->assertEntity ($acl, $role, $resource, $privilege)) return false;
+
+        // gestion de tout le reste
+        }else{
+            if (! $this->assertOther ($acl, $role, $resource, $privilege)) return false;
 
-        if (method_exists( $this, 'assertResource'.$resourceId)){
-            return $this->{'assertResource'.$resourceId}( $this->resource );
         }
 
         return true;
     }
 
+
     /**
      *
-     * @return MvcEvent
+     * @param string $resource
+     * @return boolean
      */
-    protected function getMvcEvent()
+    private function detectPrivilege( $resource=null )
     {
-        return $this->getServiceLocator()->get('Application')->getMvcEvent();
+        return is_string($resource) && 0 === strpos($resource, 'privilege/');
     }
 
     /**
+     *
+     * @param Acl $acl
+     * @param RoleInterface $role
+     * @param string $privilege
+     * @param string $subPrivilege
      * @return boolean
      */
-    protected function assertCRUD()
+    protected function assertPrivilege(Acl $acl, RoleInterface $role=null, $privilege=null, $subPrivilege=null)
     {
-        if (!$this->privilege) {
         return true;
     }
 
-        switch ($this->privilege) {
-            case self::PRIVILEGE_CREATE:
-                return $this->_assertCreate();
-            case self::PRIVILEGE_READ:
-                return $this->_assertRead();
-            case self::PRIVILEGE_UPDATE:
-                return $this->_assertUpdate();
-            case self::PRIVILEGE_DELETE:
-                return $this->_assertDelete();
-            default:
-                return true;
-        }
-    }
 
-    private function _assertCreate()
+    /**
+     *
+     * @param string $resource
+     * @return boolean
+     */
+    private function detectController( $resource=null )
     {
-        if (is_object($this->resource) && $this->resource->getId()) {
-            return false;
+        return is_string($resource) && 0 === strpos($resource, 'controller/');
     }
 
+    /**
+     *
+     * @param Acl $acl
+     * @param RoleInterface $role
+     * @param string $controller
+     * @param string $action
+     * @param string $privilege
+     * @return boolean
+     */
+    protected function assertController(Acl $acl, RoleInterface $role=null, $controller=null, $action=null, $privilege=null)
+    {
         return true;
     }
 
-    private function _assertRead()
+
+    /**
+     *
+     * @param string $resource
+     * @return boolean
+     */
+    private function detectEntity( $resource=null )
     {
-        if (is_object($this->resource) && !$this->resource->getId()) {
-            return false;
+        return
+            is_object($resource)
+            && method_exists($resource, 'getId');
     }
 
+    /**
+     *
+     * @param Acl $acl
+     * @param RoleInterface $role
+     * @param ResourceInterface $entity
+     * @param string $privilege
+     * @return boolean
+     */
+    protected function assertEntity(Acl $acl, RoleInterface $role=null, ResourceInterface $entity=null, $privilege=null)
+    {
         return true;
     }
 
-    private function _assertUpdate()
-    {
-        if (is_object($this->resource) && !$this->resource->getId()) {
-            return false;
-        }
 
+    /**
+     *
+     * @param Acl $acl
+     * @param RoleInterface $role
+     * @param ResourceInterface $entity
+     * @param string $privilege
+     * @return boolean
+     */
+    protected function assertOther(Acl $acl, RoleInterface $role=null, ResourceInterface $entity=null, $privilege=null)
+    {
         return true;
     }
 
-    private function _assertDelete()
+
+    /**
+     * @deprecated ?
+     * @return boolean
+     */
+    protected function assertCRUD()
     {
-        if (is_object($this->resource) && !$this->resource->getId()) {
-            return false;
+        if (!$this->privilege) {
+            return true;
         }
 
+        switch ($this->privilege) {
+            case self::PRIVILEGE_CREATE:
+                return ! (is_object($this->resource) && $this->resource->getId());
+            case self::PRIVILEGE_READ:
+                return ! (is_object($this->resource) && !$this->resource->getId());
+            case self::PRIVILEGE_UPDATE:
+                return ! (is_object($this->resource) && !$this->resource->getId());
+            case self::PRIVILEGE_DELETE:
+                return ! (is_object($this->resource) && !$this->resource->getId());
+            default:
                 return true;
         }
+    }
 
-    protected function getSelectedIdentityRole()
+
+    /**
+     * 
+     * @return MvcEvent
+     */
+    protected function getMvcEvent()
     {
-        return $this->getServiceContext()->getSelectedIdentityRole();
+        $application = $this->getServiceLocator()->get('Application');
+        return $application->getMvcEvent();
     }
 
+
     /**
+     * @deprecated
+     *
      * Retourne un privilège "normalisé" en fonction du type de ressource spécifié.
      *
      * - Si la ressource est un objet, le privilège est directement utilisable.
@@ -217,50 +233,4 @@ abstract class AbstractAssertion implements AssertionInterface, ServiceLocatorAw
 
         return $privilege;
     }
-
-    /**
-     * Teste si la date de fin de "privilège" du rôle courant est dépassée ou non.
-     * 
-     * @return boolean
-     */
-    protected function isDateFinPrivilegeDepassee()
-    {
-        $dateFin = null;
-        
-        /**
-         * Rôle Intervenant Permanent
-         */
-        if ($this->role instanceof IntervenantPermanentRole) {
-            // il existe une date de fin de saisie (i.e. ajout, modif, suppression) de service par les intervenants permanents eux-mêmes
-            if (in_array($this->privilege, [self::PRIVILEGE_CREATE, self::PRIVILEGE_UPDATE, self::PRIVILEGE_DELETE])) {
-                $dateFin = $this->getServiceContext()->getDateFinSaisiePermanents();
-                
-                /**
-                 * Vilaine verrue pour prolonger la période de saisie des permanents de l'ESPE
-                 * @todo Virer cette verrue après le 27/03/2015 !!
-                 */
-                if ($this->role->getIntervenant()->getStructure()->getSourceCode() === 'E01') {
-                    $dateFin = new \DateTime('2015-03-27');
-                }
-            }
-        }
-
-        if (null === $dateFin) {
-            return false;
-        }
-                
-        $now = new DateTime();
-
-        $now->setTime(0, 0, 0);
-        $dateFin->setTime(0, 0, 0);
-
-        return $now > $dateFin;
-    }
-
-    public static function getAssertionId()
-    {
-        $getCalledClass = get_called_class();
-        $getCalledClass = substr( $getCalledClass, strrpos( $getCalledClass, '\\')+1 );
-        return $getCalledClass;
-    }
 }
\ No newline at end of file

module/Application/src/Application/Assertion/AgrementAssertion.php

@@ -54,7 +54,7 @@ class AgrementAssertion extends AbstractAssertion implements AgrementServiceAwar
          * Cas N°1 : la ressource spécifiée est une entité ; un privilège est spécifié.
          */
         if ($resource instanceof Agrement) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         /**
@@ -107,7 +107,7 @@ class AgrementAssertion extends AbstractAssertion implements AgrementServiceAwar
      * 
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         if (!parent::assertCRUD()) {
             return false;

module/Application/src/Application/Assertion/ContratAssertion.php

@@ -50,7 +50,7 @@ class ContratAssertion extends AbstractAssertion implements WorkflowIntervenantA
         parent::assert($acl, $role, $resource, $privilege);
         
         if ($resource instanceof Contrat) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         return true;
@@ -60,7 +60,7 @@ class ContratAssertion extends AbstractAssertion implements WorkflowIntervenantA
      * 
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         if (!parent::assertCRUD()) {
             return false;

module/Application/src/Application/Assertion/FichierAssertion.php

@@ -48,7 +48,7 @@ class FichierAssertion extends AbstractAssertion implements /*FichierServiceAwar
          * Cas N°1 : la ressource spécifiée est une entité ; un privilège est spécifié.
          */
         if ($resource instanceof Fichier) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         /**
@@ -65,7 +65,7 @@ class FichierAssertion extends AbstractAssertion implements /*FichierServiceAwar
      * 
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         if (!parent::assertCRUD()) {
             return false;

module/Application/src/Application/Assertion/MiseEnPaiementAssertion.php

@@ -5,6 +5,7 @@ namespace Application\Assertion;
 use Application\Interfaces\StructureAwareInterface;
 use Application\Entity\Db\ServiceAPayerInterface;
 use Application\Entity\Db\MiseEnPaiement;
+use Zend\Permissions\Acl;
 
 /**
  * Description of MiseEnPaiementAssertion
@@ -18,17 +19,20 @@ class MiseEnPaiementAssertion extends AbstractAssertion
     const PRIVILEGE_VALIDATION         = 'validation';
     const PRIVILEGE_MISE_EN_PAIEMENT   = 'mise-en-paiement';
 
-    protected $assertPrivilegesEnabled = true;
 
+    protected function assertEntity(Acl\Acl $acl, Acl\Role\RoleInterface $role = null, Acl\Resource\ResourceInterface $entity = null, $privilege = null)
+    {
+        if ($entity instanceof MiseEnPaiement)
+            return $this->assertEntityMiseEnPaiement($entity);
+
+        return true;
+    }
 
-    protected function assertResourceMiseEnPaiement( MiseEnPaiement $miseEnPaiement )
+    protected function assertEntityMiseEnPaiement( MiseEnPaiement $miseEnPaiement )
     {
         if ($miseEnPaiement->getValidation() && $this->privilege == self::PRIVILEGE_DEMANDE){
             return false; // pas de nouvelle demande si la mise en paiement est déjà validée
         }
-//        if ($miseEnPaiement->getValidation() === null && $this->privilege == self::PRIVILEGE_MISE_EN_PAIEMENT){
-//            return false; // impossible de mettre en paiement une demande non validée
-//        }
 
         if ($serviceAPayer = $miseEnPaiement->getServiceAPayer()){
             return $this->assertResourceServiceAPayer($serviceAPayer);

module/Application/src/Application/Assertion/PieceJointeAssertion.php

@@ -40,7 +40,7 @@ class PieceJointeAssertion extends AbstractAssertion implements WorkflowInterven
          * Cas N°1 : la ressource spécifiée est une entité ; un privilège est spécifié.
          */
         if ($resource instanceof PieceJointe) {
-            return $this->assertEntity($acl, $role, $resource, $privilege);
+            return $this->assertEntityOld($acl, $role, $resource, $privilege);
         }
         
         /**
@@ -57,7 +57,7 @@ class PieceJointeAssertion extends AbstractAssertion implements WorkflowInterven
      * 
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         if (!parent::assertCRUD()) {
             return false;

module/Application/src/Application/Assertion/ServiceAssertion.php

@@ -13,6 +13,8 @@ use Zend\Permissions\Acl\Acl;
 use Zend\Permissions\Acl\Resource\ResourceInterface;
 use Zend\Permissions\Acl\Role\RoleInterface;
 use Application\Entity\Db\TypeVolumeHoraire;
+use DateTime;
+use Application\Acl\IntervenantPermanentRole;
 
 /**
  * Description of Service
@@ -44,7 +46,7 @@ class ServiceAssertion extends AbstractAssertion
         parent::assert($acl, $role, $resource, $privilege);
 
         if ($resource instanceof Service) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         return true;
@@ -56,7 +58,7 @@ class ServiceAssertion extends AbstractAssertion
      *
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         /*********************************************************
          *                      Rôle administrateur
@@ -166,4 +168,35 @@ class ServiceAssertion extends AbstractAssertion
 
         return false;
     }
+
+    /**
+     * Teste si la date de fin de "privilège" du rôle courant est dépassée ou non.
+     *
+     * @return boolean
+     */
+    protected function isDateFinPrivilegeDepassee()
+    {
+        $dateFin = null;
+
+        /**
+         * Rôle Intervenant Permanent
+         */
+        if ($this->role instanceof IntervenantPermanentRole) {
+            // il existe une date de fin de saisie (i.e. ajout, modif, suppression) de service par les intervenants permanents eux-mêmes
+            if (in_array($this->privilege, [self::PRIVILEGE_CREATE, self::PRIVILEGE_UPDATE, self::PRIVILEGE_DELETE])) {
+                $dateFin = $this->getServiceContext()->getDateFinSaisiePermanents();
+            }
+        }
+
+        if (null === $dateFin) {
+            return false;
+        }
+
+        $now = new DateTime();
+
+        $now->setTime(0, 0, 0);
+        $dateFin->setTime(0, 0, 0);
+
+        return $now > $dateFin;
+    }
 }
\ No newline at end of file

module/Application/src/Application/Assertion/ServiceReferentielAssertion.php

@@ -13,6 +13,7 @@ use Application\Entity\Db\ServiceReferentiel;
 use Zend\Permissions\Acl\Acl;
 use Zend\Permissions\Acl\Resource\ResourceInterface;
 use Zend\Permissions\Acl\Role\RoleInterface;
+use DateTime;
 
 /**
  *
@@ -38,7 +39,7 @@ class ServiceReferentielAssertion extends AbstractAssertion
         parent::assert($acl, $role, $resource, $privilege);
         
         if ($resource instanceof ServiceReferentiel) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         return true;
@@ -50,7 +51,7 @@ class ServiceReferentielAssertion extends AbstractAssertion
      *
      * @return boolean
      */
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         $intervenant          = $this->resource->getIntervenant();
         $serviceStructure     = $this->resource->getStructure();
@@ -132,4 +133,35 @@ class ServiceReferentielAssertion extends AbstractAssertion
 
         return true;
     }
+
+    /**
+     * Teste si la date de fin de "privilège" du rôle courant est dépassée ou non.
+     *
+     * @return boolean
+     */
+    protected function isDateFinPrivilegeDepassee()
+    {
+        $dateFin = null;
+
+        /**
+         * Rôle Intervenant Permanent
+         */
+        if ($this->role instanceof IntervenantPermanentRole) {
+            // il existe une date de fin de saisie (i.e. ajout, modif, suppression) de service par les intervenants permanents eux-mêmes
+            if (in_array($this->privilege, [self::PRIVILEGE_CREATE, self::PRIVILEGE_UPDATE, self::PRIVILEGE_DELETE])) {
+                $dateFin = $this->getServiceContext()->getDateFinSaisiePermanents();
+            }
+        }
+
+        if (null === $dateFin) {
+            return false;
+        }
+
+        $now = new DateTime();
+
+        $now->setTime(0, 0, 0);
+        $dateFin->setTime(0, 0, 0);
+
+        return $now > $dateFin;
+    }
 }
\ No newline at end of file

module/Application/src/Application/Assertion/TestAssertion.php

+<?php
+
+namespace Application\Assertion;
+
+use Application\Entity\Db\Service;
+use Zend\Permissions\Acl\Acl;
+use Zend\Permissions\Acl\Resource\ResourceInterface;
+use Zend\Permissions\Acl\Role\RoleInterface;
+
+/**
+ * Description of TestAssertion
+ *
+ * @author Laurent LÉCLUSE <laurent.lecluse at unicaen.fr>
+ */
+class TestAssertion extends AbstractAssertion
+{
+    /**
+     * @var Service
+     */
+    protected $resource;
+
+    /**
+     * Returns true if and only if the assertion conditions are met
+     *
+     * This method is passed the ACL, Role, Resource, and privilege to which the authorization query applies. If the
+     * $role, $resource, or $privilege parameters are null, it means that the query applies to all Roles, Resources, or
+     * privileges, respectively.
+     *
+     * @param  Acl               $acl
+     * @param  RoleInterface     $role
+     * @param  ResourceInterface $resource
+     * @param  string            $privilege
+     * @return bool
+     */
+    public function assert(Acl $acl, RoleInterface $role = null, ResourceInterface $resource = null, $privilege = null)
+    {
+        parent::assert($acl, $role, $resource, $privilege);
+var_dump($acl->getRoles());
+//        var_dump($acl);
+//        var_dump($role);
+//        var_dump($resource);
+//        var_dump($privilege);
+
+        return true;
+    }
+}
\ No newline at end of file

module/Application/src/Application/Assertion/ValidationEnsRefAbstractAssertion.php

@@ -37,7 +37,7 @@ abstract class ValidationEnsRefAbstractAssertion extends AbstractAssertion
         parent::assert($acl, $role, $resource, $privilege);
         
         if ($resource instanceof ValidationEntity) {
-            return $this->assertEntity();
+            return $this->assertEntityOld();
         }
         
         return true;

module/Application/src/Application/Assertion/ValidationReferentielAssertion.php

@@ -79,7 +79,7 @@ class ValidationReferentielAssertion extends ValidationEnsRefAbstractAssertion
 //        
 //        return false;
 //    }
-    protected function assertEntity()
+    protected function assertEntityOld()
     {
         $rule = $this->getServiceLocator()->get('ValidationReferentielRule')
                 ->setIntervenant($this->resource->getIntervenant())