filepond: implement async server-ID upload architecture with nested queue support + PeerTube integration

Replace `storeAsFile:true` with a full async FilePond round-trip pipeline using opaque server-side file IDs. * Added 4 new PHP endpoints under `/admin/actions/filepond/`: * `process.php` — upload/process single file and return opaque `file_id` * `revert.php` — delete pending tmp uploads before form submit * `load.php` — stream existing files by DB ID for FilePond preload * `remove.php` — soft-delete `thesis_files` rows * `process.php` improvements: * accept arbitrary FilePond field names instead of hardcoded `file` * support PHP-nested multi-file queue inputs (`queue_file[tfe][]`) * explicit unwrapping of nested `$_FILES` structures * add `audio/mp3` to audio + `peertube_audio` MIME whitelists * immediate upload of `peertube_*` files to PeerTube, returning `peertube:{uuid}` IDs * extensive `error_log()` instrumentation for request, CSRF, MIME, upload, and save stages * `revert.php` now accepts `peertube:` IDs without local cleanup * `ThesisFileHandler`: * add `handleFilePondQueueFiles()` + `handleFilePondSingleFile()` * process async uploads from `storage/tmp/filepond/` via opaque `file_id` * inline handling of `peertube:{uuid}` IDs with direct `thesis_files` insertion * remove obsolete deferred PeerTube queue-processing flow * `ThesisCreateController` + `ThesisEditController`: * gate async path behind `filepond_mode=1` * preserve legacy multipart flow as fallback * `file-upload-filepond.js`: * remove `storeAsFile:true` * add `buildServerConfig()` for async endpoint wiring * fix `syncOrderInput()` to use `serverId` * add `onprocessfile` hook * add `fileValidateSizeFilterItem` for per-extension size caps * preload existing uploads via `data-existing-files` + `server.load` * replace static `INPUT_ID_TO_TYPE` map with `data-queue-type` * add extensive `console.log()` debugging across upload pipeline stages * `upload-progress.js`: * block form submission while uploads are pending * update `collectFileNames()` to read processed FilePond items * Templates/layout: * add `data-queue-type` * add `data-existing-files` * add global CSRF meta tag outside admin-only context * add `filepond_mode` hidden input * add CSRF token/meta support for partage pages * move website URL field below file upload block * `.gitignore`: exclude `storage/tmp/` from version control
2026-06-25 16:19:19 +02:00 · 2026-05-11 20:11:31 +02:00
parent b56d073210
commit 2e9ebfc684
18 changed files with 1342 additions and 261 deletions
--- a/app/public/admin/actions/filepond/revert.php
+++ b/app/public/admin/actions/filepond/revert.php
@@ -0,0 +1,74 @@
+<?php
+/**
+ * FilePond revert endpoint — deletes a just-uploaded tmp file.
+ *
+ * DELETE /admin/actions/filepond/revert.php
+ * Body: plain text file_id
+ *
+ * Called when the user removes a file before form submit.
+ */
+
+require_once __DIR__ . '/../../../../bootstrap.php';
+require_once __DIR__ . '/../../../../src/AdminAuth.php';
+
+AdminAuth::requireLogin();
+
+// ── CSRF via header ──────────────────────────────────────────────────────
+$csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
+if (!isset($_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
+    http_response_code(403);
+    die('Token CSRF invalide.');
+}
+
+// ── Only accept DELETE ───────────────────────────────────────────────────
+if ($_SERVER['REQUEST_METHOD'] !== 'DELETE') {
+    http_response_code(405);
+    die('Méthode non autorisée.');
+}
+
+// ── Read file_id from body ───────────────────────────────────────────────
+$fileId = trim(file_get_contents('php://input'));
+
+// PeerTube files have a special prefix; nothing to clean up locally
+if (str_starts_with($fileId, 'peertube:')) {
+    // PeerTube files are already uploaded; we don't delete them from PeerTube on revert
+    // (the user might still submit and associate them)
+    http_response_code(200);
+    exit;
+}
+
+if ($fileId === '' || !preg_match('/^[a-f0-9]{32}$/', $fileId)) {
+    http_response_code(400);
+    die('ID de fichier invalide.');
+}
+
+// ── Verify tmp directory exists and manifest matches session ─────────────
+$tmpDir = STORAGE_ROOT . '/tmp/filepond/' . $fileId;
+$manifestPath = $tmpDir . '/manifest.json';
+
+if (!is_dir($tmpDir) || !file_exists($manifestPath)) {
+    http_response_code(404);
+    exit;
+}
+
+$manifest = json_decode(file_get_contents($manifestPath), true);
+if (!is_array($manifest) || ($manifest['session_id'] ?? '') !== session_id()) {
+    http_response_code(403);
+    die('Session invalide.');
+}
+
+// ── Delete directory recursively ─────────────────────────────────────────
+$it = new RecursiveDirectoryIterator($tmpDir, RecursiveDirectoryIterator::SKIP_DOTS);
+$files_it = new RecursiveIteratorIterator($it, RecursiveIteratorIterator::CHILD_FIRST);
+foreach ($files_it as $file) {
+    if ($file->isDir()) {
+        rmdir($file->getRealPath());
+    } else {
+        unlink($file->getRealPath());
+    }
+}
+rmdir($tmpDir);
+
+http_response_code(200);
+exit;