Block document editing if any signature associated to a workflow is signed

Add a check in `WorkflowStoredObjectPermissionHelper` to block document editing once any signature is signed. Accompanied by new tests to verify this behavior.

src/Bundle/ChillDocStoreBundle/Service/WorkflowStoredObjectPermissionHelper.php

@@ -11,6 +11,7 @@ declare(strict_types=1);
 
 namespace Chill\DocStoreBundle\Service;
 
+use Chill\MainBundle\Entity\Workflow\EntityWorkflowSignatureStateEnum;
 use Chill\MainBundle\Workflow\EntityWorkflowManager;
 use Symfony\Component\Security\Core\Security;
 
@@ -31,6 +32,16 @@ class WorkflowStoredObjectPermissionHelper
             if (!$workflow->getCurrentStep()->getAllDestUser()->contains($currentUser)) {
                 return false;
             }
+
+            // as soon as there is one signatured applyied, we are not able to
+            // edit the document any more
+            foreach ($workflow->getSteps() as $step) {
+                foreach ($step->getSignatures() as $signature) {
+                    if (EntityWorkflowSignatureStateEnum::SIGNED === $signature->getState()) {
+                        return false;
+                    }
+                }
+            }
         }
 
         return true;

src/Bundle/ChillDocStoreBundle/Tests/Service/WorkflowStoredObjectPermissionHelperTest.php

@@ -0,0 +1,101 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Chill is a software for social workers
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace Chill\DocStoreBundle\Tests\Service;
+
+use Chill\DocStoreBundle\Service\WorkflowStoredObjectPermissionHelper;
+use Chill\MainBundle\Entity\User;
+use Chill\MainBundle\Entity\Workflow\EntityWorkflow;
+use Chill\MainBundle\Entity\Workflow\EntityWorkflowSignatureStateEnum;
+use Chill\MainBundle\Entity\Workflow\EntityWorkflowStepSignature;
+use Chill\MainBundle\Workflow\EntityWorkflowManager;
+use Chill\MainBundle\Workflow\WorkflowTransitionContextDTO;
+use Chill\PersonBundle\Entity\Person;
+use PHPUnit\Framework\TestCase;
+use Prophecy\Argument;
+use Prophecy\PhpUnit\ProphecyTrait;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * @internal
+ *
+ * @coversNothing
+ */
+class WorkflowStoredObjectPermissionHelperTest extends TestCase
+{
+    use ProphecyTrait;
+
+    /**
+     * @dataProvider provideDataNotBlockByWorkflow
+     */
+    public function testNotBlockByWorkflow(EntityWorkflow $entityWorkflow, User $user, bool $expected, string $message): void
+    {
+        $object = new \stdClass();
+        $helper = $this->buildHelper($object, $entityWorkflow, $user);
+
+        self::assertEquals($expected, $helper->notBlockedByWorkflow($entityWorkflow), $message);
+    }
+
+    private function buildHelper(object $relatedEntity, EntityWorkflow $entityWorkflow, User $user): WorkflowStoredObjectPermissionHelper
+    {
+        $security = $this->prophesize(Security::class);
+        $security->getUser()->willReturn($user);
+
+        $entityWorkflowManager = $this->prophesize(EntityWorkflowManager::class);
+        $entityWorkflowManager->findByRelatedEntity(Argument::type('object'))->willReturn([$entityWorkflow]);
+
+        return new WorkflowStoredObjectPermissionHelper($security->reveal(), $entityWorkflowManager->reveal());
+    }
+
+    public static function provideDataNotBlockByWorkflow(): iterable
+    {
+        $entityWorkflow = new EntityWorkflow();
+        $dto = new WorkflowTransitionContextDTO($entityWorkflow);
+        $entityWorkflow->setStep('test', $dto, 'to_test', new \DateTimeImmutable());
+
+        yield [$entityWorkflow, new User(), false, 'blocked because the user is not present as a dest user'];
+
+        $entityWorkflow = new EntityWorkflow();
+        $dto = new WorkflowTransitionContextDTO($entityWorkflow);
+        $dto->futureDestUsers[] = $user = new User();
+        $entityWorkflow->setStep('test', $dto, 'to_test', new \DateTimeImmutable(), $user);
+
+        yield [$entityWorkflow, $user, true, 'allowed because the user is present as a dest user'];
+
+        $entityWorkflow = new EntityWorkflow();
+        $dto = new WorkflowTransitionContextDTO($entityWorkflow);
+        $dto->futureDestUsers[] = $user = new User();
+        $entityWorkflow->setStep('test', $dto, 'to_test', new \DateTimeImmutable(), $user);
+        $entityWorkflow->getCurrentStep()->setIsFinal(true);
+
+        yield [$entityWorkflow, $user, false, 'blocked because the step is final'];
+
+        $entityWorkflow = new EntityWorkflow();
+        $dto = new WorkflowTransitionContextDTO($entityWorkflow);
+        $dto->futureDestUsers[] = $user = new User();
+        $entityWorkflow->setStep('test', $dto, 'to_test', new \DateTimeImmutable(), $user);
+        $step = $entityWorkflow->getCurrentStep();
+        new EntityWorkflowStepSignature($step, new Person());
+
+        yield [$entityWorkflow, $user, true, 'allow, a signature is present but still pending'];
+
+        $entityWorkflow = new EntityWorkflow();
+        $dto = new WorkflowTransitionContextDTO($entityWorkflow);
+        $dto->futureDestUsers[] = $user = new User();
+        $entityWorkflow->setStep('test', $dto, 'to_test', new \DateTimeImmutable(), $user);
+        $step = $entityWorkflow->getCurrentStep();
+        $signature = new EntityWorkflowStepSignature($step, new Person());
+        $signature->setState(EntityWorkflowSignatureStateEnum::SIGNED);
+
+        yield [$entityWorkflow, $user, false, 'blocked, a signature is present and signed'];
+
+    }
+}