feat: add system roles on project creation

apps/client/src/components/AdminRoleForm.vue

@@ -12,6 +12,7 @@ const props = withDefaults(defineProps<{
   permissions: bigint
   name: string
   oidcGroup: string
+  type?: string
 }>(), {
   name: 'Nouveau rôle',
   oidcGroup: '',
@@ -139,6 +140,7 @@ function closeModal() {
         label-visible
         hint="Ne doit pas dépasser 30 caractères."
         class="mb-5"
+        :disabled="role.type === 'system'"
       />
       <p
         class="fr-h6"
@@ -174,6 +176,7 @@ function closeModal() {
         label-visible
         placeholder="/admin"
         class="mb-5"
+        :disabled="role.type === 'system'"
       />
       <DsfrButton
         data-testid="saveBtn"

apps/client/src/components/ProjectRoleForm.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { computed, ref } from 'vue'
-import type { Member, ProjectV2, RoleBigint } from '@cpn-console/shared'
+import type { Member, ProjectRoleBigint, ProjectV2 } from '@cpn-console/shared'
 import { PROJECT_PERMS, projectPermsDetails, shallowEqual } from '@cpn-console/shared'
 
 const props = defineProps<{
@@ -10,19 +10,23 @@ const props = defineProps<{
   allMembers: Member[]
   projectId: ProjectV2['id']
   isEveryone: boolean
+  oidcGroup?: string
+  type?: string
 }>()
 
 defineEmits<{
   delete: []
   updateMemberRoles: [checked: boolean, userId: Member['userId']]
-  save: [value: Omit<RoleBigint, 'position'>]
+  save: [value: Omit<ProjectRoleBigint, 'position' | 'projectId'>]
   cancel: []
 }>()
 const router = useRouter()
 const role = ref({
   ...props,
   permissions: props.permissions ?? 0n,
   allMembers: props.allMembers ?? [],
+  oidcGroup: props.oidcGroup ?? '',
+  type: props.type ?? 'custom',
 })
 
 const isUpdated = computed(() => {
@@ -66,7 +70,15 @@ function updateChecked(checked: boolean, value: bigint) {
         data-testid="roleNameInput"
         label-visible
         class="mb-5"
-        :disabled="role.isEveryone"
+        :disabled="role.isEveryone || role.type === 'system'"
+      />
+      <h6>Groupe OIDC</h6>
+      <DsfrInput
+        v-model="role.oidcGroup"
+        data-testid="roleOidcGroupInput"
+        label-visible
+        class="mb-5"
+        :disabled="role.isEveryone || role.type === 'system'"
       />
       <h6>Permissions</h6>
       <div
@@ -87,7 +99,7 @@ function updateChecked(checked: boolean, value: bigint) {
           :label="perm?.label"
           :hint="perm?.hint"
           :name="perm.key"
-          :disabled="role.permissions & PROJECT_PERMS.MANAGE && perm.key !== 'MANAGE'"
+          :disabled="(role.permissions & PROJECT_PERMS.MANAGE && perm.key !== 'MANAGE') || role.type === 'system'"
           @update:model-value="(checked: boolean) => updateChecked(checked, PROJECT_PERMS[perm.key])"
         />
       </div>
@@ -100,7 +112,7 @@ function updateChecked(checked: boolean, value: bigint) {
         @click="$emit('save', role)"
       />
       <DsfrButton
-        v-if="!role.isEveryone"
+        v-if="!role.isEveryone && role.type !== 'system'"
         data-testid="deleteBtn"
         label="Supprimer"
         secondary

apps/client/src/components/ProjectRoles.vue

@@ -1,5 +1,5 @@
 <script lang="ts" setup>
-import type { Member, Role, RoleBigint } from '@cpn-console/shared'
+import type { Member, ProjectRole, ProjectRoleBigint, Role, RoleBigint } from '@cpn-console/shared'
 import { useSnackbarStore } from '@/stores/snackbar.js'
 import type { Project } from '@/utils/project-utils.js'
 
@@ -11,7 +11,7 @@ const snackbarStore = useSnackbarStore()
 
 const selectedId = ref<string>()
 
-type RoleItem = Omit<Role, 'permissions'> & { permissions: bigint, memberCounts: number, isEveryone: boolean }
+type RoleItem = Omit<ProjectRole, 'permissions'> & { permissions: bigint, memberCounts: number, isEveryone: boolean }
 
 const roleList = ref<RoleItem[]>([])
 
@@ -56,7 +56,7 @@ async function saveEveryoneRole(role: { permissions: bigint }) {
   snackbarStore.setMessage('Rôle mis à jour', 'success')
 }
 
-async function saveRole(role: Omit<RoleBigint, 'position'>) {
+async function saveRole(role: Omit<ProjectRoleBigint, 'position' | 'projectId'>) {
   if (role.id === 'everyone') {
     await saveEveryoneRole(role)
     snackbarStore.setMessage('Rôle mis à jour', 'success')
@@ -67,6 +67,7 @@ async function saveRole(role: Omit<RoleBigint, 'position'>) {
     id: selectedRole.value.id,
     permissions: role.permissions.toString(),
     name: role.name,
+    oidcGroup: role.oidcGroup,
   }])
   reload()
   snackbarStore.setMessage('Rôle mis à jour', 'success')
@@ -86,6 +87,7 @@ function reload() {
     permissions: BigInt(props.project.everyonePerms),
     position: 1000,
     isEveryone: true,
+    projectId: props.project.id,
   })
   roleList.value = roles
 }
@@ -142,6 +144,8 @@ watch(props.project, reload, { immediate: true })
       :permissions="BigInt(selectedRole.permissions)"
       :project-id="project.id"
       :is-everyone="selectedRole.isEveryone"
+      :oidc-group="selectedRole.oidcGroup"
+      :type="selectedRole.type"
       :all-members="project.members"
       @delete="deleteRole(selectedRole.id)"
       @update-member-roles="(checked: boolean, userId: Member['userId']) => updateMember(checked, userId)"

apps/client/src/utils/project-utils.ts

@@ -64,7 +64,7 @@ export class Project implements ProjectV2 {
   locked: boolean
   owner: Omit<User, 'adminRoleIds'>
   ownerId: string
-  roles: { id: string, name: string, permissions: string, position: number }[]
+  roles: { id: string, name: string, permissions: string, position: number, projectId: string, oidcGroup?: string, type?: string }[]
   members: ({ userId: string, firstName: string, lastName: string, email: string, roleIds: string[] } | { updatedAt: string, createdAt: string, firstName: string, lastName: string, email: string, userId: string, roleIds: string[] })[]
   createdAt: string
   updatedAt: string

apps/client/src/views/admin/AdminRoles.vue

@@ -117,6 +117,7 @@ onBeforeMount(async () => {
       :name="selectedRole.name"
       :permissions="BigInt(selectedRole.permissions)"
       :oidc-group="selectedRole.oidcGroup"
+      :type="selectedRole.type"
       @delete="deleteRole(selectedRole.id)"
       @save="(role: Pick<AdminRole, 'name' | 'oidcGroup' | 'permissions'>) => saveRole(role)"
       @cancel="() => cancel()"

apps/server/src/prisma/migrations/20260127154602_add_oidc_group_to_project_role/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "ProjectRole" ADD COLUMN     "oidcGroup" TEXT NOT NULL DEFAULT '';

apps/server/src/prisma/migrations/20260127164002_add_type_to_roles/migration.sql

@@ -0,0 +1,11 @@
+-- AlterTable
+ALTER TABLE "AdminRole" ADD COLUMN     "type" TEXT NOT NULL DEFAULT 'custom';
+
+-- AlterTable
+ALTER TABLE "ProjectRole" ADD COLUMN     "type" TEXT NOT NULL DEFAULT 'custom';
+
+-- Update AdminRole system roles
+UPDATE "AdminRole" SET "type" = 'system' WHERE "name" IN ('Admin', 'Admin Locaux');
+
+-- Update ProjectRole system roles
+UPDATE "ProjectRole" SET "type" = 'system' WHERE "name" IN ('Administrateur', 'DevOps', 'Développeur', 'Lecture seule');

apps/server/src/prisma/migrations/migration_lock.toml

@@ -1,3 +1,3 @@
 # Please do not edit this file manually
 # It should be added in your version-control system (e.g., Git)
-provider = "postgresql"
+provider = "postgresql"

apps/server/src/prisma/schema/admin.prisma

@@ -12,6 +12,7 @@ model AdminRole {
   permissions BigInt
   position    Int    @db.SmallInt
   oidcGroup   String @default("")
+  type        String @default("custom")
 }
 
 model SystemSetting {

apps/server/src/prisma/schema/project.prisma

@@ -66,6 +66,8 @@ model ProjectRole {
   permissions BigInt
   projectId   String  @db.Uuid
   position    Int     @db.SmallInt
+  oidcGroup   String  @default("")
+  type        String  @default("custom")
   project     Project @relation(fields: [projectId], references: [id])
 }