AdminGit2026/nis2-agile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[FIX] P2/P3: aggiunti i metodi+route realmente mancanti (commit precedenti incompleti)

Browse Source 
I commit 56ce97d/1a5db30/14c06c8 contenevano migrazioni+HTML ma gli Edit dei
metodi controller e delle route erano falliti silenziosamente (ancore errate).
Ora presenti e testati E2E in produzione:
- DashboardController::sectorBenchmark (era 501)
- SupplyChainController: sendQuestionnaire/publicQuestionnaire/submitPublicQuestionnaire/questionnaireStatus/resolveQuestionnaire + route 'supply-chain' (era 404)
- PolicyController: attest/attestations/versions/diff/pendingAttestations + snapshot in approve + route (era 404)
Test: benchmark 200, supplier flow send->submit(score 61)->dedup 409->DB risk_score=39,
policy approve->attest(coverage 50%)->bump v2.0->diff(+2/-1)->pending ricompare.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
DevEnv nis2-agile 2026-05-30 10:36:39 +02:00
parent c15d8db510
commit 31b8a4572c
3 changed files with 268 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
application/controllers/DashboardController.php
View File

@ -150,6 +150,90 @@ class DashboardController extends BaseController
]); ]);
} }
/**
* GET /api/dashboard/sectorBenchmark
* Benchmark settoriale ANONIMIZZATO (P2): confronta lo score di compliance
* dell'organizzazione con la media/distribuzione del proprio settore sulla
* rete multi-tenant. k-anonymity: aggregati solo se >= MIN_PEERS organizzazioni.
*/
public function sectorBenchmark(): void
{
$this->requireOrgAccess();
$orgId = $this->getCurrentOrgId();
$MIN_PEERS = 3;
$org = Database::fetchOne('SELECT sector FROM organizations WHERE id = ?', [$orgId]);
if (!$org) {
$this->jsonError('Organizzazione non trovata', 404, 'NOT_FOUND');
}
$sector = $org['sector'];
$mine = Database::fetchOne(
"SELECT overall_score FROM assessments WHERE organization_id = ? AND status='completed'
ORDER BY completed_at DESC LIMIT 1",
[$orgId]
);
$myScore = $mine ? (float) $mine['overall_score'] : null;
$rows = Database::fetchAll(
"SELECT a.overall_score
FROM assessments a
JOIN (
SELECT organization_id, MAX(completed_at) mx
FROM assessments WHERE status='completed'
GROUP BY organization_id
) last ON last.organization_id = a.organization_id AND last.mx = a.completed_at
JOIN organizations o ON o.id = a.organization_id
WHERE o.is_active = 1 AND o.sector = ? AND a.status='completed' AND a.overall_score IS NOT NULL",
[$sector]
);
$scores = array_map(fn($r) => (float) $r['overall_score'], $rows);
$n = count($scores);
if ($n < $MIN_PEERS) {
$this->jsonSuccess([
'sector' => $sector,
'sufficient_data' => false,
'min_peers_required' => $MIN_PEERS,
'peers_available' => $n,
'my_score' => $myScore,
'message' => 'Dati insufficienti per un benchmark anonimo (servono almeno ' . $MIN_PEERS . ' organizzazioni nel settore).',
]);
return;
}
sort($scores);
$avg = array_sum($scores) / $n;
$median = $n % 2 ? $scores[intdiv($n, 2)] : ($scores[$n / 2 - 1] + $scores[$n / 2]) / 2;
$p25 = $scores[(int) floor(0.25 * ($n - 1))];
$p75 = $scores[(int) floor(0.75 * ($n - 1))];
$percentile = null; $position = null;
if ($myScore !== null) {
$below = count(array_filter($scores, fn($s) => $s < $myScore));
$percentile = (int) round($below / $n * 100);
$position = $myScore >= $p75 ? 'top_quartile'
: ($myScore >= $median ? 'above_median'
: ($myScore >= $p25 ? 'below_median' : 'bottom_quartile'));
}
$this->jsonSuccess([
'sector' => $sector,
'sufficient_data' => true,
'peers' => $n,
'my_score' => $myScore !== null ? round($myScore, 1) : null,
'sector_average' => round($avg, 1),
'sector_median' => round($median, 1),
'sector_min' => round($scores[0], 1),
'sector_max' => round($scores[$n - 1], 1),
'sector_p25' => round($p25, 1),
'sector_p75' => round($p75, 1),
'my_percentile' => $percentile,
'my_position' => $position,
'delta_vs_average' => $myScore !== null ? round($myScore - $avg, 1) : null,
]);
}
/** /**
* GET /api/dashboard/upcoming-deadlines * GET /api/dashboard/upcoming-deadlines
*/ */

167
application/controllers/PolicyController.php
View File

@ -121,9 +121,24 @@ class PolicyController extends BaseController
$this->logAudit('policy_approved', 'policy', $id); $this->logAudit('policy_approved', 'policy', $id);
$policy = Database::fetchOne('SELECT * FROM policies WHERE id = ?', [$id]);
// Snapshot versione per storico/diff/attestation (P3)
try {
Database::insert('policy_versions', [
'policy_id' => $id,
'organization_id' => $this->getCurrentOrgId(),
'version' => $policy['version'] ?? '1.0',
'content' => $policy['content'] ?? null,
'change_note' => $this->getParam('change_note') ?: 'Approvazione',
'created_by' => $this->getCurrentUserId(),
]);
} catch (Throwable $e) {
error_log('[POLICY_VER] ' . $e->getMessage());
}
// Dispatch webhook policy.approved // Dispatch webhook policy.approved
try { try {
$policy = Database::fetchOne('SELECT * FROM policies WHERE id = ?', [$id]);
(new WebhookService())->dispatch( (new WebhookService())->dispatch(
$this->getCurrentOrgId(), $this->getCurrentOrgId(),
'policy.approved', 'policy.approved',
@ -181,4 +196,154 @@ class PolicyController extends BaseController
$this->jsonSuccess($templates); $this->jsonSuccess($templates);
} }
// ══════════════════════════════════════════════════════════════════════
// ATTESTATION + VERSIONING (P3)
// ══════════════════════════════════════════════════════════════════════
/** POST /api/policies/{id}/attest — dipendente prende visione (versione corrente). */
public function attest(int $id): void
{
$this->requireOrgAccess();
$policy = Database::fetchOne(
"SELECT id, version, status FROM policies WHERE id = ? AND organization_id = ? AND deleted_at IS NULL",
[$id, $this->getCurrentOrgId()]
);
if (!$policy) {
$this->jsonError('Policy non trovata', 404, 'NOT_FOUND');
}
if ($policy['status'] !== 'approved') {
$this->jsonError('Si puo attestare solo una policy approvata', 422, 'NOT_APPROVED');
}
$version = $policy['version'] ?? '1.0';
$existing = Database::fetchOne(
'SELECT id FROM policy_attestations WHERE policy_id = ? AND user_id = ? AND version = ?',
[$id, $this->getCurrentUserId(), $version]
);
if ($existing) {
$this->jsonSuccess(['already' => true, 'version' => $version], 'Presa visione gia registrata');
return;
}
Database::insert('policy_attestations', [
'policy_id' => $id,
'organization_id' => $this->getCurrentOrgId(),
'user_id' => $this->getCurrentUserId(),
'version' => $version,
'ip_address' => $this->attClientIp(),
]);
$this->logAudit('policy_attested', 'policy', $id, ['version' => $version]);
$this->jsonSuccess(['version' => $version], 'Presa visione registrata', 201);
}
/** GET /api/policies/{id}/attestations — copertura % presa visione (versione corrente). */
public function attestations(int $id): void
{
$this->requireOrgRole(['org_admin', 'compliance_manager', 'board_member', 'auditor']);
$policy = Database::fetchOne(
"SELECT id, title, version FROM policies WHERE id = ? AND organization_id = ? AND deleted_at IS NULL",
[$id, $this->getCurrentOrgId()]
);
if (!$policy) {
$this->jsonError('Policy non trovata', 404, 'NOT_FOUND');
}
$version = $policy['version'] ?? '1.0';
$members = Database::fetchAll(
'SELECT u.id, u.full_name, u.email FROM user_organizations uo
JOIN users u ON u.id = uo.user_id
WHERE uo.organization_id = ? AND u.is_active = 1',
[$this->getCurrentOrgId()]
);
$attested = Database::fetchAll(
'SELECT user_id, attested_at FROM policy_attestations WHERE policy_id = ? AND version = ?',
[$id, $version]
);
$attMap = [];
foreach ($attested as $a) { $attMap[(int) $a['user_id']] = $a['attested_at']; }
$list = array_map(fn($m) => [
'user_id' => (int) $m['id'],
'full_name' => $m['full_name'],
'email' => $m['email'],
'attested' => isset($attMap[(int) $m['id']]),
'attested_at' => $attMap[(int) $m['id']] ?? null,
], $members);
$total = count($members);
$done = count(array_filter($list, fn($x) => $x['attested']));
$this->jsonSuccess([
'policy_id' => $id,
'version' => $version,
'total_members' => $total,
'attested' => $done,
'coverage_percent' => $total ? (int) round($done * 100 / $total) : 0,
'members' => $list,
]);
}
/** GET /api/policies/{id}/versions — storico versioni. */
public function versions(int $id): void
{
$this->requireOrgAccess();
$rows = Database::fetchAll(
'SELECT id, version, change_note, created_by, created_at FROM policy_versions
WHERE policy_id = ? AND organization_id = ? ORDER BY created_at DESC',
[$id, $this->getCurrentOrgId()]
);
$this->jsonSuccess(['versions' => $rows]);
}
/** GET /api/policies/{id}/diff?from={vId}&to={vId} — diff line-by-line. */
public function diff(int $id): void
{
$this->requireOrgAccess();
$fromId = (int) $this->getParam('from');
$toId = (int) $this->getParam('to');
$a = Database::fetchOne('SELECT version, content FROM policy_versions WHERE id = ? AND policy_id = ? AND organization_id = ?', [$fromId, $id, $this->getCurrentOrgId()]);
$b = Database::fetchOne('SELECT version, content FROM policy_versions WHERE id = ? AND policy_id = ? AND organization_id = ?', [$toId, $id, $this->getCurrentOrgId()]);
if (!$a || !$b) {
$this->jsonError('Versione non trovata', 404, 'NOT_FOUND');
}
$linesA = preg_split('/\r\n|\r|\n/', (string) $a['content']);
$linesB = preg_split('/\r\n|\r|\n/', (string) $b['content']);
$setA = array_count_values(array_map('trim', $linesA));
$setB = array_count_values(array_map('trim', $linesB));
$added = []; $removed = [];
foreach ($linesB as $l) { $t = trim($l); if ($t !== '' && empty($setA[$t])) $added[] = $l; }
foreach ($linesA as $l) { $t = trim($l); if ($t !== '' && empty($setB[$t])) $removed[] = $l; }
$this->jsonSuccess([
'from' => ['id' => $fromId, 'version' => $a['version']],
'to' => ['id' => $toId, 'version' => $b['version']],
'added' => $added,
'removed' => $removed,
'summary' => ['added' => count($added), 'removed' => count($removed)],
]);
}
/** GET /api/policies/pending-attestations — policy approvate non ancora attestate dall'utente. */
public function pendingAttestations(): void
{
$this->requireOrgAccess();
$rows = Database::fetchAll(
"SELECT p.id, p.title, p.category, p.version, p.approved_at
FROM policies p
WHERE p.organization_id = ? AND p.status = 'approved' AND p.deleted_at IS NULL
AND NOT EXISTS (
SELECT 1 FROM policy_attestations a
WHERE a.policy_id = p.id AND a.user_id = ? AND a.version = p.version
)
ORDER BY p.approved_at DESC",
[$this->getCurrentOrgId(), $this->getCurrentUserId()]
);
$this->jsonSuccess(['pending' => $rows, 'count' => count($rows)]);
}
private function attClientIp(): ?string
{
$fwd = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? '';
if ($fwd) { return trim(explode(',', $fwd)[0]); }
return $_SERVER['REMOTE_ADDR'] ?? null;
}
} }

20
public/index.php
View File

@ -252,17 +252,33 @@ $actionMap = [
'POST:{id}/approve' => 'approve', 'POST:{id}/approve' => 'approve',
'POST:aiGenerate' => 'aiGeneratePolicy', 'POST:aiGenerate' => 'aiGeneratePolicy',
'GET:templates' => 'getTemplates', 'GET:templates' => 'getTemplates',
// Attestation + versioning (P3)
'GET:pendingAttestations' => 'pendingAttestations',
'GET:pending-attestations' => 'pendingAttestations',
'POST:{id}/attest' => 'attest',
'GET:{id}/attestations' => 'attestations',
'GET:{id}/versions' => 'versions',
'GET:{id}/diff' => 'diff',
], ],
// ── SupplyChainController ─────────────────────── // ── SupplyChainController ───────────────────────
'supply-chain' => [ 'supply-chain' => [
'GET:list' => 'list', 'GET:list' => 'list',
'POST:create' => 'create', 'POST:create' => 'create',
'GET:riskOverview' => 'riskOverview',
// Self-assessment fornitori (P3)
'GET:publicQuestionnaire' => 'publicQuestionnaire', // NO AUTH (token)
'GET:public-questionnaire' => 'publicQuestionnaire', // NO AUTH (token)
'POST:submitPublicQuestionnaire' => 'submitPublicQuestionnaire', // NO AUTH (token)
'POST:submit-public-questionnaire' => 'submitPublicQuestionnaire', // NO AUTH (token)
'POST:{id}/sendQuestionnaire' => 'sendQuestionnaire',
'POST:{id}/send-questionnaire' => 'sendQuestionnaire',
'GET:{id}/questionnaireStatus' => 'questionnaireStatus',
'GET:{id}/questionnaire-status' => 'questionnaireStatus',
'POST:{id}/assess' => 'assessSupplier',
'GET:{id}' => 'get', 'GET:{id}' => 'get',
'PUT:{id}' => 'update', 'PUT:{id}' => 'update',
'DELETE:{id}' => 'delete', 'DELETE:{id}' => 'delete',
'POST:{id}/assess' => 'assessSupplier',
'GET:riskOverview' => 'riskOverview',
], ],
// ── TrainingController ────────────────────────── // ── TrainingController ──────────────────────────