mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-06 11:09:18 +02:00
Implement TFE file access restriction feature (complete)
Requirements: - parametres.php toggle: 'restricted_files_enabled' enables/disables the feature - Public TFE page: when enabled + access_type=Interne, hides files, shows French restriction message + access request form (metadata/synopsis still visible) - ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately - External emails: show justification textarea, create pending request, notify admin - Admin panel /admin/file-access.php: approve/reject requests with optional notes, sends access email on approval (linked from admin nav with pending count badge) Security: - One-time 24h email tokens (used_at + is_valid=0 on first click) - Token redeemed via POST /validate-access (GET shows confirmation page only) - Long-lived 30-day browser session in file_access_sessions table - Cookie: HttpOnly + Secure + SameSite=Strict - CSRF on all mutations, rate limiting on request submission - Audit trail: IP, UA, event, timestamp in file_access_audit Bug fixes: - admin/file-access.php: $vars never extract()ed → page was blank - Template had self-contained head/footer includes (double-include) - Admin approval URL used $requestId instead of $request['thesis_id'] - App::boot() now starts session so CSRF token works on public pages - Dispatcher routes /validate-access and /request-access through front controller
This commit is contained in:
Pontoporeia
@@ -193,6 +193,100 @@
|
||||
<p class="tfe-restricted">
|
||||
Ce TFE n'est pas disponible en ligne.
|
||||
</p>
|
||||
<?php elseif ($shouldHideFiles): ?>
|
||||
<div class="tfe-restricted-access">
|
||||
<p class="tfe-restricted-message">
|
||||
<strong>Accès restreint</strong><br>
|
||||
Les fichiers attachés à ce TFE sont réservés aux utilisateurs autorisés.
|
||||
</p>
|
||||
|
||||
<form id="access-request-form" class="tfe-access-request-form"
|
||||
data-thesis-id="<?= $thesisId ?>">
|
||||
<input type="hidden" name="csrf_token"
|
||||
value="<?= htmlspecialchars($_SESSION['csrf_token'] ?? '') ?>">
|
||||
|
||||
<div class="form-group">
|
||||
<label for="access-email">Votre adresse email :</label>
|
||||
<input type="email"
|
||||
id="access-email"
|
||||
name="email"
|
||||
required
|
||||
placeholder="votre@email.com">
|
||||
</div>
|
||||
|
||||
<div id="justification-container" class="form-group" style="display: none;">
|
||||
<label for="access-justification">Pourquoi souhaitez-vous accéder à ce TFE ?</label>
|
||||
<textarea id="access-justification"
|
||||
name="justification"
|
||||
rows="4"
|
||||
placeholder="Décrivez brièvement votre motivation (recherche, collaboration, etc.)"></textarea>
|
||||
</div>
|
||||
|
||||
<button type="submit" class="tfe-btn-request-access">
|
||||
Demander l'accès
|
||||
</button>
|
||||
|
||||
<div id="access-request-message" class="tfe-access-message" style="display: none;"></div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<script>
|
||||
(function() {
|
||||
const form = document.getElementById('access-request-form');
|
||||
const emailInput = document.getElementById('access-email');
|
||||
const justificationContainer = document.getElementById('justification-container');
|
||||
const justificationInput = document.getElementById('access-justification');
|
||||
const messageDiv = document.getElementById('access-request-message');
|
||||
|
||||
// Show/hide justification based on email domain
|
||||
emailInput.addEventListener('input', function() {
|
||||
const email = this.value.trim().toLowerCase();
|
||||
const isErg = email.endsWith('@erg.school') || email.endsWith('@erg.be');
|
||||
justificationContainer.style.display = isErg ? 'none' : 'block';
|
||||
justificationInput.required = !isErg;
|
||||
});
|
||||
|
||||
// Form submission
|
||||
form.addEventListener('submit', function(e) {
|
||||
e.preventDefault();
|
||||
|
||||
const submitBtn = form.querySelector('button[type="submit"]');
|
||||
submitBtn.disabled = true;
|
||||
submitBtn.textContent = 'Envoi en cours...';
|
||||
messageDiv.style.display = 'none';
|
||||
|
||||
const formData = new FormData(form);
|
||||
formData.append('thesis_id', '<?= $thesisId ?>');
|
||||
|
||||
fetch('/request-access.php', {
|
||||
method: 'POST',
|
||||
body: formData
|
||||
})
|
||||
.then(response => response.json())
|
||||
.then(data => {
|
||||
submitBtn.disabled = false;
|
||||
submitBtn.textContent = 'Demander l\'accès';
|
||||
|
||||
messageDiv.style.display = 'block';
|
||||
if (data.success) {
|
||||
messageDiv.className = 'tfe-access-message tfe-access-success';
|
||||
messageDiv.textContent = data.message;
|
||||
form.reset();
|
||||
} else {
|
||||
messageDiv.className = 'tfe-access-message tfe-access-error';
|
||||
messageDiv.textContent = data.message || 'Une erreur est survenue. Veuillez réessayer.';
|
||||
}
|
||||
})
|
||||
.catch(error => {
|
||||
submitBtn.disabled = false;
|
||||
submitBtn.textContent = 'Demander l\'accès';
|
||||
messageDiv.style.display = 'block';
|
||||
messageDiv.className = 'tfe-access-message tfe-access-error';
|
||||
messageDiv.textContent = 'Erreur de connexion. Veuillez réessayer.';
|
||||
});
|
||||
});
|
||||
})();
|
||||
</script>
|
||||
<?php elseif (!empty($data['files'])): ?>
|
||||
<?php foreach ($data['files'] as $file): ?>
|
||||
<?php
|
||||
|
||||
Reference in New Issue
Block a user