Implement TFE file access restriction feature (complete)

Requirements:
- parametres.php toggle: 'restricted_files_enabled' enables/disables the feature
- Public TFE page: when enabled + access_type=Interne, hides files, shows French
  restriction message + access request form (metadata/synopsis still visible)
- ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately
- External emails: show justification textarea, create pending request, notify admin
- Admin panel /admin/file-access.php: approve/reject requests with optional notes,
  sends access email on approval (linked from admin nav with pending count badge)

Security:
- One-time 24h email tokens (used_at + is_valid=0 on first click)
- Token redeemed via POST /validate-access (GET shows confirmation page only)
- Long-lived 30-day browser session in file_access_sessions table
- Cookie: HttpOnly + Secure + SameSite=Strict
- CSRF on all mutations, rate limiting on request submission
- Audit trail: IP, UA, event, timestamp in file_access_audit

Bug fixes:
- admin/file-access.php: $vars never extract()ed → page was blank
- Template had self-contained head/footer includes (double-include)
- Admin approval URL used $requestId instead of $request['thesis_id']
- App::boot() now starts session so CSRF token works on public pages
- Dispatcher routes /validate-access and /request-access through front controller

app/src/Controllers/FileAccessController.php

@@ -0,0 +1,137 @@
+<?php
+/**
+ * FileAccessController
+ *
+ * Handles admin management of TFE file access requests.
+ * - List pending/approved/rejected requests
+ * - Approve/reject individual requests
+ * - Send notification emails on approval
+ */
+class FileAccessController
+{
+    private Database $db;
+
+    public function __construct(Database $db)
+    {
+        $this->db = $db;
+    }
+
+    public static function create(): self
+    {
+        require_once APP_ROOT . '/src/Database.php';
+        return new self(Database::getInstance());
+    }
+
+    /**
+     * Main admin page handler - lists access requests
+     */
+    public function handle(): array
+    {
+        // Get filter parameter
+        $status = $_GET['status'] ?? 'pending';
+        $page = isset($_GET['page']) ? max(1, (int)$_GET['page']) : 1;
+        $perPage = 20;
+        $offset = ($page - 1) * $perPage;
+
+        // Fetch requests based on filter
+        if ($status === 'approved') {
+            $requests = $this->getApprovedRequests($perPage, $offset);
+            $totalCount = $this->countApprovedRequests();
+        } elseif ($status === 'rejected') {
+            $requests = $this->getRejectedRequests($perPage, $offset);
+            $totalCount = $this->countRejectedRequests();
+        } else {
+            $requests = $this->db->getPendingAccessRequests($perPage, $offset);
+            $totalCount = $this->db->countPendingAccessRequests();
+        }
+
+        $totalPages = max(1, ceil($totalCount / $perPage));
+
+        return [
+            'requests' => $requests,
+            'status' => $status,
+            'page' => $page,
+            'totalPages' => $totalPages,
+            'totalCount' => $totalCount,
+            'pendingCount' => $this->db->countPendingAccessRequests(),
+            'approvedCount' => $this->countApprovedRequests(),
+            'rejectedCount' => $this->countRejectedRequests(),
+            'currentPage' => 'file-access',
+        ];
+    }
+
+    private function getApprovedRequests(int $limit, int $offset): array
+    {
+        $sql = "
+            SELECT
+                far.id,
+                far.email,
+                far.justification,
+                far.created_at,
+                far.approved_at,
+                t.id as thesis_id,
+                t.title,
+                t.subtitle,
+                a.name as authors,
+                t.year
+            FROM file_access_requests far
+            JOIN theses t ON far.thesis_id = t.id
+            LEFT JOIN thesis_authors ta ON t.id = ta.thesis_id
+            LEFT JOIN authors a ON ta.author_id = a.id AND ta.author_order = 1
+            WHERE far.status = 'approved'
+            ORDER BY far.approved_at DESC
+            LIMIT ? OFFSET ?
+        ";
+
+        $stmt = $this->db->getPDO()->prepare($sql);
+        $stmt->execute([$limit, $offset]);
+        return $stmt->fetchAll();
+    }
+
+    private function countApprovedRequests(): int
+    {
+        $stmt = $this->db->getPDO()->query(
+            "SELECT COUNT(*) as count FROM file_access_requests WHERE status = 'approved'"
+        );
+        $result = $stmt->fetch();
+        return (int)$result['count'];
+    }
+
+    private function getRejectedRequests(int $limit, int $offset): array
+    {
+        $sql = "
+            SELECT
+                far.id,
+                far.email,
+                far.justification,
+                far.admin_notes,
+                far.created_at,
+                far.approved_at,
+                t.id as thesis_id,
+                t.title,
+                t.subtitle,
+                a.name as authors,
+                t.year
+            FROM file_access_requests far
+            JOIN theses t ON far.thesis_id = t.id
+            LEFT JOIN thesis_authors ta ON t.id = ta.thesis_id
+            LEFT JOIN authors a ON ta.author_id = a.id AND ta.author_order = 1
+            WHERE far.status = 'rejected'
+            ORDER BY far.approved_at DESC
+            LIMIT ? OFFSET ?
+        ";
+
+        $stmt = $this->db->getPDO()->prepare($sql);
+        $stmt->execute([$limit, $offset]);
+        return $stmt->fetchAll();
+    }
+
+    private function countRejectedRequests(): int
+    {
+        $stmt = $this->db->getPDO()->query(
+            "SELECT COUNT(*) as count FROM file_access_requests WHERE status = 'rejected'"
+        );
+        $result = $stmt->fetch();
+        return (int)$result['count'];
+    }
+}

app/src/Controllers/TfeController.php

@@ -72,8 +72,23 @@ class TfeController
         }
 
         // Access type (1 = open, 2 = restricted, 3 = forbidden)
-        $accessTypeId = $this->db->getThesisAccessTypeId($thesisId) ?? 1;
-        $isInterdit   = ($accessTypeId === 3);
+        $accessTypeId      = $this->db->getThesisAccessTypeId($thesisId) ?? 1;
+        $isInterdit        = ($accessTypeId === 3);
+        
+        // Check if restricted files feature is enabled and user has access
+        $restrictedEnabled = $this->db->isRestrictedFilesEnabled();
+        $hasRestrictedAccess = false;
+        
+        if ($restrictedEnabled && $accessTypeId === 2) {
+            // Check for cookie-based access
+            $cookieToken = $_COOKIE['tfe_access_' . $thesisId] ?? null;
+            if ($cookieToken) {
+                $hasRestrictedAccess = $this->db->hasValidCookieAccess($cookieToken, $thesisId);
+            }
+        }
+        
+        // If access is restricted and user doesn't have valid access, hide files
+        $shouldHideFiles = ($restrictedEnabled && $accessTypeId === 2 && !$hasRestrictedAccess);
 
         // Caption (WebVTT) files — N-th VTT is paired with the N-th <video>
         $captionFiles = $this->collectCaptionPaths($data['files'] ?? []);
@@ -101,6 +116,11 @@ class TfeController
             'promoteursExternes' => $juryByRole['externes'],
             'juryLecteurs'      => $juryByRole['lecteurs'],
 
+            // Restricted files access
+            'restrictedEnabled'  => $restrictedEnabled,
+            'hasRestrictedAccess' => $hasRestrictedAccess,
+            'shouldHideFiles'    => $shouldHideFiles,
+
             // Page meta
             'pageTitle'       => $pageTitle,
             'metaDescription' => $metaDescription,