diff --git a/TODO.md b/TODO.md index 6188c62..1f51d93 100644 --- a/TODO.md +++ b/TODO.md @@ -1,77 +1,16 @@ -# TFE Access Restriction Feature +# TODO -## Renaming -- [x] Rename `thanks.php` → `recapitulatif.php` in admin and partage (public + templates) -- [x] Update all internal references (routes, includes, header.php, README, controller comment) +## File Display in Forms & Recaps - -## Admin Edit Form — File Management -- [x] Add cover image upload/preview/remove to edit.php -- [x] Add existing thesis files listing with per-file delete checkboxes -- [x] Add new thesis files upload field (PDF, JPG, PNG, MP4, ZIP, VTT) -- [x] Add `deleteThesisFile()` and `handleCoverUpload()` to Database.php -- [x] Update `ThesisEditController::save()` to handle cover, file deletion, new uploads -- [x] Update `ThesisEditController::load()` to expose `currentFiles` + `currentCover` -- [x] Rework Fichiers fieldset layout: inline file inputs (no partial double-label), banner moved inside fieldset, one label per field - - -## Overview -Add access restriction for TFE attached files based on user email domain, with admin validation workflow. - -## Implementation Plan - -### 1. Database Changes -- [x] Add `restricted_files_enabled` setting to site_settings table -- [x] Create `file_access_requests` table - - id, thesis_id, email, justification, status (pending/approved/rejected), admin_notes, created_at, approved_at, approved_by_admin_id -- [x] Create `file_access_tokens` table (short-lived, one-time email links, 24h) - - id, request_id, token (unique), expires_at, used_at (one-time mark) -- [x] Create `file_access_sessions` table (long-lived browser sessions, 30 days) - - id, request_id, session_token, expires_at, is_valid -- [x] Create `file_access_audit` table (IP, UA, timestamp on redemption) - -### 2. Configuration -- [x] Add `restricted_files_enabled` checkbox in parametres.php (Formulaire section) -- [x] Update settings.php action handler to persist the setting - -### 3. Public TFE View (tfe.php) - Restricted Access UI -- [x] TfeController checks restricted flag + access_type_id=2 + cookie session -- [x] French text: "Accès restreint — Les fichiers attachés à ce TFE sont réservés aux utilisateurs autorisés." -- [x] Request form: email input + conditional justification textarea (non-ERG only) -- [x] JS: shows/hides justification textarea based on email domain (@erg.school / @erg.be) -- [x] Form submits via fetch POST to /request-access.php with CSRF token -- [x] Metadata, title, authors, synopsis all remain visible regardless of restriction - -### 4. Email Flow -- [x] @erg.school / @erg.be → auto-approve, generate 24h one-time token, send email immediately -- [x] External email → create pending request, notify admin by email -- [x] Admin approves → generate 24h token, send email to requester -- [x] Email contains link to GET /validate-access (confirmation page) → POST to redeem - -### 5. Secure Token Redemption -- [x] One-time email token (24h, marked used_at on first click, is_valid=0) -- [x] GET /validate-access → shows confirmation page (no side effects) -- [x] POST /validate-access → redeems token (CSRF required), creates browser session cookie -- [x] Cookie: HttpOnly; Secure; SameSite=Strict; 30 days -- [x] Session stored in file_access_sessions (separate from one-time email token) -- [x] TfeController checks file_access_sessions via hasValidCookieAccess() -- [x] Audit trail: IP, User-Agent, timestamp in file_access_audit on every redemption attempt - -### 6. Admin Panel - Access Requests Management -- [x] Admin page: /admin/file-access.php (linked from admin nav with pending badge) -- [x] List pending/approved/rejected requests with tab filters and pagination -- [x] Approve dialog (with optional note) → sends 24h access email -- [x] Reject dialog (with optional note) -- [x] Bug fix: $vars was never extract()ed — page was blank -- [x] Bug fix: template included head.php/header.php/footer.php itself (double-include) -- [x] Bug fix: admin approval URL used $requestId instead of $request['thesis_id'] - -### 7. Security -- [x] One-time use tokens (used_at + is_valid=0) -- [x] POST-based redemption (token in hidden form field, not URL action) -- [x] 256-bit random tokens, rate limiting on request submission (3/10min per IP) -- [x] HttpOnly cookie + SameSite=Strict -- [x] CSRF on all mutations -- [x] Audit trail (IP, UA, event, timestamp) -- [x] Short-lived email links (24h), long-lived browser sessions (30 days) -- [x] App::boot() starts session for all public requests (CSRF token available everywhere) +- [x] Add live file preview to `file-field.php` partial (`data-preview` attribute + `.file-preview-list` container) +- [x] Write `file-preview.js` — renders thumbnails for images, emoji icons for PDFs/videos/zips, filename + size +- [x] Load `file-preview.js` in `admin/add.php` via `$extraJs` +- [x] Load `file-preview.js` in `admin/edit.php` via `$extraJs` +- [x] Load `file-preview.js` in `partage/index.php` (self-contained HTML, direct `
diff --git a/app/public/partage/recapitulatif.php b/app/public/partage/recapitulatif.php index a854740..ee1c2ff 100644 --- a/app/public/partage/recapitulatif.php +++ b/app/public/partage/recapitulatif.php @@ -1,7 +1,7 @@ getThesis($thesisId); if (!$thesis) { http_response_code(404); die('TFE introuvable.'); } +$files = $db->getThesisFiles($thesisId); + // Was the confirmation e-mail sent? $emailSent = !empty($_SESSION['share_email_sent']); unset($_SESSION['share_email_sent']); -// Get the share link slug from the referer path -$pathParts = explode('/', trim($_SERVER['REQUEST_URI'] ?? '', '/')); -$slug = count($pathParts) >= 2 ? $pathParts[0] : null; +// Derive share-link slug from the URI so we can build the "submit another" link. +$pathParts = explode('/', trim(parse_url($_SERVER['REQUEST_URI'] ?? '', PHP_URL_PATH), '/')); +// URI is /partage/recapitulatif?id=N → parts[0]=partage, parts[1]=recapitulatif +// We have no slug here, so just link back to /partage/ root. +$slug = null; + +function partageFormatFileSize(int $bytes): string { + if ($bytes >= 1073741824) return number_format($bytes / 1073741824, 2) . ' GB'; + if ($bytes >= 1048576) return number_format($bytes / 1048576, 2) . ' MB'; + if ($bytes >= 1024) return number_format($bytes / 1024, 2) . ' KB'; + return $bytes . ' B'; +} $pageTitle = 'Merci — TFE enregistré'; ?> @@ -43,20 +53,99 @@ $pageTitle = 'Merci — TFE enregistré'; -
+
+

✅ Merci !

Votre TFE a bien été enregistré sur la plateforme.

📧 Un e-mail de confirmation a été envoyé avec un récapitulatif de votre soumission.

- -

- - - + Soumettre un autre TFE -
+ +
+

Récapitulatif de votre soumission

+
+
Titre
+
+ + +
Sous-titre
+
+ + + +
Auteur·ice(s)
+
+ + + +
Année
+
+ + + +
Orientation
+
+ + + +
Atelier pluridisciplinaire
+
+ + + +
Finalité
+
+ + + +
Mots-clés
+
+ +
+
+ + +
+

Fichiers soumis

+
    + + +
  • + + + <?= $fileName ?> + + + + + + +
    + + + +
    +
    • + +
+
+ +
diff --git a/app/templates/admin/edit.php b/app/templates/admin/edit.php index 4b20c82..1b651dd 100644 --- a/app/templates/admin/edit.php +++ b/app/templates/admin/edit.php @@ -112,7 +112,8 @@ - + +
@@ -149,7 +150,9 @@
+ accept=".pdf,.jpg,.jpeg,.png,.mp4,.zip,.vtt" + data-preview="fp-files"> +
PDF, JPG, PNG, MP4, ZIP. Max 50 MB par fichier. Pour les vidéos, un fichier .vtt de sous-titres peut être joint.
@@ -167,7 +170,8 @@ - + +
diff --git a/app/templates/admin/recapitulatif.php b/app/templates/admin/recapitulatif.php index d0501e5..45a3ed5 100644 --- a/app/templates/admin/recapitulatif.php +++ b/app/templates/admin/recapitulatif.php @@ -84,19 +84,41 @@

Fichiers

- - - - - - - - - - - - -
TypeFichierTailleDate
+
    + + +
  • + + + <?= $fileName ?> + + + + + + +
    + + + + +
    +
    • + +
diff --git a/app/templates/head.php b/app/templates/head.php index d006502..852162d 100644 --- a/app/templates/head.php +++ b/app/templates/head.php @@ -69,6 +69,9 @@ + + +