From 24b753a992974b9b19d3fd09fa1c9409e852718a Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Mon, 8 Jun 2026 11:22:31 +0200
Subject: [PATCH] fix: add missing csrf_token to htmx checkbox in file access
 restrictions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 'Activer la restriction d'accès' checkbox in /admin/acces.php used
htmx to POST to settings.php but the #fieldset-restrictions container
was missing a csrf_token hidden input. This caused two bugs:
1. 'Erreur de sécurité, token invalide' error
2. Full /admin/parametres.php HTML injected into #restrictions-response
   (due to HTMX following the 302 redirect on CSRF failure)
---
 app/templates/admin/acces.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php
index 7403a64..3123722 100644
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -338,6 +338,7 @@
                            hx-target="#restrictions-response"
                            hx-swap="innerHTML"
                            hx-include="#fieldset-restrictions">
+                    <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
                     <input type="hidden" name="section" value="formulaire_restrictions">
                     <strong>Activer la restriction d'accès</strong><br>
                     <small style="max-width:42ch;">Pour les TFE de type "Interne", masquer les fichiers et exiger une demande d'accès par email. Les métadonnées et résumés restent publics.</small>