From 1524ed8ce99f1d42cdb496e1bf8fc6ffebeb853c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Fastr=C3=A9?= <julien.fastre@champs-libres.coop>
Date: Mon, 16 Mar 2026 14:54:47 +0000
Subject: [PATCH] Replace `ActivityVoter::SEE` with
 `AccompanyingPeriodVoter::SEE` for correct authorization check

---
 .changes/unreleased/Security-20260316-153605.yaml          | 7 +++++++
 .../Repository/ActivityACLAwareRepository.php              | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 .changes/unreleased/Security-20260316-153605.yaml

diff --git a/.changes/unreleased/Security-20260316-153605.yaml b/.changes/unreleased/Security-20260316-153605.yaml
new file mode 100644
index 000000000..1c383d2d6
--- /dev/null
+++ b/.changes/unreleased/Security-20260316-153605.yaml
@@ -0,0 +1,7 @@
+kind: Security
+body: Fix permission in list of activities in person context
+time: 2026-03-16T15:36:05.243511868+01:00
+custom:
+    Issue: "506"
+    MR: "972"
+    SchemaChange: No schema change
diff --git a/src/Bundle/ChillActivityBundle/Repository/ActivityACLAwareRepository.php b/src/Bundle/ChillActivityBundle/Repository/ActivityACLAwareRepository.php
index 34ddfe432..57935a2d9 100644
--- a/src/Bundle/ChillActivityBundle/Repository/ActivityACLAwareRepository.php
+++ b/src/Bundle/ChillActivityBundle/Repository/ActivityACLAwareRepository.php
@@ -24,6 +24,7 @@ use Chill\MainBundle\Security\Authorization\AuthorizationHelperForCurrentUserInt
 use Chill\MainBundle\Security\Resolver\CenterResolverManagerInterface;
 use Chill\PersonBundle\Entity\AccompanyingPeriod;
 use Chill\PersonBundle\Entity\Person;
+use Chill\PersonBundle\Security\Authorization\AccompanyingPeriodVoter;
 use Doctrine\DBAL\Types\Types;
 use Doctrine\ORM\AbstractQuery;
 use Doctrine\ORM\EntityManagerInterface;
@@ -340,7 +341,7 @@ final readonly class ActivityACLAwareRepository implements ActivityACLAwareRepos
         }
 
         foreach ($person->getAccompanyingPeriodParticipations() as $participation) {
-            if (!$this->security->isGranted(ActivityVoter::SEE, $participation->getAccompanyingPeriod())) {
+            if (!$this->security->isGranted(AccompanyingPeriodVoter::SEE, $participation->getAccompanyingPeriod())) {
                 continue;
             }