Implement TFE file access restriction feature (complete)

Requirements: - parametres.php toggle: 'restricted_files_enabled' enables/disables the feature - Public TFE page: when enabled + access_type=Interne, hides files, shows French restriction message + access request form (metadata/synopsis still visible) - ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately - External emails: show justification textarea, create pending request, notify admin - Admin panel /admin/file-access.php: approve/reject requests with optional notes, sends access email on approval (linked from admin nav with pending count badge) Security: - One-time 24h email tokens (used_at + is_valid=0 on first click) - Token redeemed via POST /validate-access (GET shows confirmation page only) - Long-lived 30-day browser session in file_access_sessions table - Cookie: HttpOnly + Secure + SameSite=Strict - CSRF on all mutations, rate limiting on request submission - Audit trail: IP, UA, event, timestamp in file_access_audit Bug fixes: - admin/file-access.php: $vars never extract()ed → page was blank - Template had self-contained head/footer includes (double-include) - Admin approval URL used $requestId instead of $request['thesis_id'] - App::boot() now starts session so CSRF token works on public pages - Dispatcher routes /validate-access and /request-access through front controller
2026-05-06 19:19:19 +02:00 · 2026-04-27 20:12:43 +02:00
parent 5c776dd39e
commit 27e1b6828d
21 changed files with 6256 additions and 15 deletions
--- a/app/templates/admin/parametres.php
+++ b/app/templates/admin/parametres.php
@@ -102,6 +102,19 @@
                </label>
            </fieldset>

+            <fieldset>
+                <legend>Restriction d'accès aux fichiers</legend>
+
+                <label class="param-checkbox">
+                    <input type="checkbox" name="restricted_files_enabled" value="1"
+                           <?= ($siteSettings['restricted_files_enabled'] ?? '0') === '1' ? 'checked' : '' ?>>
+                    <span>
+                        <strong>Activer la restriction d'accès</strong><br>
+                        <small>Pour les TFE de type "Interne", masquer les fichiers et exiger une demande d'accès par email. Les métadonnées et le résumé restent visibles publiquement.</small>
+                    </span>
+                </label>
+            </fieldset>
+
            <button type="submit">Enregistrer</button>
        </form>
    </section>