add user management

src/Security/ActiveUserChecker.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\Entity\User;
+use Symfony\Component\Security\Core\Exception\DisabledException;
+use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * Blocks login for users that were deactivated in the admin area.
+ */
+final class ActiveUserChecker implements UserCheckerInterface
+{
+    public function checkPreAuth(UserInterface $user): void
+    {
+        if ($user instanceof User && !$user->isActive()) {
+            throw new DisabledException('Dieser Benutzer ist deaktiviert.');
+        }
+    }
+
+    public function checkPostAuth(UserInterface $user): void
+    {
+        // No post-auth checks required.
+    }
+}

src/Security/ActiveUserSessionSubscriber.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+use App\Entity\User;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+
+/**
+ * Invalidates already-authenticated sessions when an admin deactivates a user.
+ */
+final readonly class ActiveUserSessionSubscriber implements EventSubscriberInterface
+{
+    public function __construct(
+        private TokenStorageInterface $tokenStorage,
+        private UrlGeneratorInterface $urlGenerator,
+    ) {
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            KernelEvents::REQUEST => ['onKernelRequest', 8],
+        ];
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $token = $this->tokenStorage->getToken();
+
+        if ($token === null) {
+            return;
+        }
+
+        $user = $token->getUser();
+
+        if (!$user instanceof User || $user->isActive()) {
+            return;
+        }
+
+        $this->tokenStorage->setToken(null);
+
+        $request = $event->getRequest();
+        if ($request->hasSession()) {
+            $request->getSession()->invalidate();
+        }
+
+        $route = str_starts_with($request->getPathInfo(), '/admin') ? 'admin_login' : 'chat_login';
+        $event->setResponse(new RedirectResponse($this->urlGenerator->generate($route)));
+    }
+}

src/Security/ApplicationRoles.php

@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Security;
+
+/**
+ * Central list of application roles that may be assigned by administrators.
+ */
+final class ApplicationRoles
+{
+    public const ROLE_SUPER_ADMIN = 'ROLE_SUPER_ADMIN';
+    public const ROLE_KNOWLEDGE_ADMIN = 'ROLE_KNOWLEDGE_ADMIN';
+    public const ROLE_EDITOR = 'ROLE_EDITOR';
+    public const ROLE_ADMIN_AREA = 'ROLE_ADMIN_AREA';
+    public const ROLE_CHAT_USER = 'ROLE_CHAT_USER';
+    public const ROLE_USER = 'ROLE_USER';
+
+    /**
+     * @return array<string, string>
+     */
+    public static function assignableChoices(): array
+    {
+        return [
+            self::ROLE_SUPER_ADMIN => 'Super Admin',
+            self::ROLE_KNOWLEDGE_ADMIN => 'Knowledge Admin',
+            self::ROLE_EDITOR => 'Editor',
+            self::ROLE_ADMIN_AREA => 'Adminbereich',
+            self::ROLE_CHAT_USER => 'Chat User',
+        ];
+    }
+
+    /**
+     * @return list<string>
+     */
+    public static function assignableRoleNames(): array
+    {
+        return array_keys(self::assignableChoices());
+    }
+
+    public static function label(string $role): string
+    {
+        return self::assignableChoices()[$role] ?? $role;
+    }
+}