feat: file browser + relink for orphaned files + htmx fix + header cleanup + fix relinked FilePond integration + resolve acces.php conflict markers

app/public/admin/actions/filepond/relink.php

@@ -14,23 +14,29 @@ require_once __DIR__ . '/../../../../bootstrap.php';
 require_once __DIR__ . '/../../../../src/AdminAuth.php';
 AdminAuth::requireLogin();
 
+// Always return JSON, even on errors
+function relinkError(int $code, string $message): never {
+    http_response_code($code);
+    header('Content-Type: application/json');
+    echo json_encode(['ok' => false, 'error' => $message]);
+    exit;
+}
+
 // CSRF via header
 $csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+error_log('[relink] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | csrf=' . (isset($_SESSION['csrf_token']) ? 'set' : 'missing') . ' | header=' . (strlen($csrfHeader) > 0 ? substr($csrfHeader, 0, 8) . '...' : 'empty') . ' | body_len=' . strlen(file_get_contents('php://input')));
 if (!isset($_SESSION['csrf_token'])
     || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
-    http_response_code(403);
-    die('Token CSRF invalide.');
+    relinkError(403, 'Token CSRF invalide.');
 }
 
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-    http_response_code(405);
-    die('Méthode non autorisée.');
+    relinkError(405, 'Méthode non autorisée.');
 }
 
 $body = json_decode(file_get_contents('php://input'), true);
 if (!is_array($body)) {
-    http_response_code(400);
-    die('JSON invalide.');
+    relinkError(400, 'JSON invalide.');
 }
 
 $thesisId  = filter_var($body['thesis_id'] ?? '', FILTER_VALIDATE_INT);
@@ -42,14 +48,12 @@ $queueType = trim($body['queue_type'] ?? '');
 $mimeType  = trim($body['mime_type'] ?? 'application/octet-stream');
 
 if (!$thesisId || $filePath === '') {
-    http_response_code(400);
-    die('Paramètres invalides (thesis_id + file_path requis).');
+    relinkError(400, 'Paramètres invalides (thesis_id + file_path requis).');
 }
 
 // Security: only allow paths under documents/ or theses/
 if (!preg_match('#^(documents|theses)/#', $filePath)) {
-    http_response_code(403);
-    die('Chemin de fichier non autorisé.');
+    relinkError(403, 'Chemin de fichier non autorisé.');
 }
 
 $absPath = STORAGE_ROOT . '/' . $filePath;
@@ -57,19 +61,21 @@ $realPath = realpath($absPath);
 $realStorage = realpath(STORAGE_ROOT);
 
 if ($realPath === false || !str_starts_with($realPath, $realStorage)) {
-    http_response_code(404);
-    die('Fichier introuvable ou chemin interdit.');
+    error_log('[relink] FILE NOT FOUND | absPath=' . $absPath . ' | realPath=' . var_export($realPath, true) . ' | realStorage=' . $realStorage);
+    relinkError(404, 'Fichier introuvable ou chemin interdit.');
 }
 
 if (!is_file($realPath)) {
-    http_response_code(404);
-    die('Le chemin ne pointe pas vers un fichier.');
+    relinkError(404, 'Le chemin ne pointe pas vers un fichier.');
 }
 
 // Detect MIME if not provided
-if ($mimeType === 'application/octet-stream') {
+if ($mimeType === 'application/octet-stream' && class_exists('finfo')) {
     $finfo = new finfo(FILEINFO_MIME_TYPE);
-    $mimeType = $finfo->file($realPath);
+    $detected = $finfo->file($realPath);
+    if ($detected !== false && $detected !== '') {
+        $mimeType = $detected;
+    }
 }
 
 // Map queue_type to file_type if not explicitly given
@@ -91,8 +97,7 @@ $pdo = $db->getConnection();
 $stmt = $pdo->prepare('SELECT id FROM thesis_files WHERE thesis_id = ? AND file_path = ?');
 $stmt->execute([$thesisId, $filePath]);
 if ($stmt->fetch()) {
-    http_response_code(409);
-    die('Ce fichier est déjà lié à ce TFE.');
+    relinkError(409, 'Ce fichier est déjà lié à ce TFE.');
 }
 
 $db->insertThesisFile(