PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add file display to forms and recap pages

Browse Source 
- Live file preview on all file inputs (file-field partial, edit template):
  thumbnails for images, emoji icons for PDF/video/zip/vtt, filename + size
- New file-preview.js wired via $extraJs in add.php / edit.php and direct
  <script> in partage/index.php; $extraJs support added to head.php
- admin/recapitulatif.php: replace plain table with rich file list — image
  thumbnails linked to media.php, type badges, human-readable size, date
- partage/recapitulatif.php: full rewrite — shows thesis metadata + files
  list with same rich display (no media links for student privacy)
- form.css: new sections for .file-preview-list (live preview) and
  .recap-file-list / .recap-dl / .partage-recap (recap pages)
This commit is contained in:
Pontoporeia
2026-04-27 20:41:43 +02:00
parent aca7e7eef8
commit 32a7509598
11 changed files with 450 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
TODO.md
View File

@@ -1,77 +1,16 @@
# TFE Access Restriction Feature
# TODO
## Renaming
- [x] Rename `thanks.php``recapitulatif.php` in admin and partage (public + templates)
- [x] Update all internal references (routes, includes, header.php, README, controller comment)
## File Display in Forms & Recaps
## Admin Edit Form — File Management
- [x] Add cover image upload/preview/remove to edit.php
- [x] Add existing thesis files listing with per-file delete checkboxes
- [x] Add new thesis files upload field (PDF, JPG, PNG, MP4, ZIP, VTT)
- [x] Add `deleteThesisFile()` and `handleCoverUpload()` to Database.php
- [x] Update `ThesisEditController::save()` to handle cover, file deletion, new uploads
- [x] Update `ThesisEditController::load()` to expose `currentFiles` + `currentCover`
- [x] Rework Fichiers fieldset layout: inline file inputs (no partial double-label), banner moved inside fieldset, one label per field
## Overview
Add access restriction for TFE attached files based on user email domain, with admin validation workflow.
## Implementation Plan
### 1. Database Changes
- [x] Add `restricted_files_enabled` setting to site_settings table
- [x] Create `file_access_requests` table
- id, thesis_id, email, justification, status (pending/approved/rejected), admin_notes, created_at, approved_at, approved_by_admin_id
- [x] Create `file_access_tokens` table (short-lived, one-time email links, 24h)
- id, request_id, token (unique), expires_at, used_at (one-time mark)
- [x] Create `file_access_sessions` table (long-lived browser sessions, 30 days)
- id, request_id, session_token, expires_at, is_valid
- [x] Create `file_access_audit` table (IP, UA, timestamp on redemption)
### 2. Configuration
- [x] Add `restricted_files_enabled` checkbox in parametres.php (Formulaire section)
- [x] Update settings.php action handler to persist the setting
### 3. Public TFE View (tfe.php) - Restricted Access UI
- [x] TfeController checks restricted flag + access_type_id=2 + cookie session
- [x] French text: "Accès restreint — Les fichiers attachés à ce TFE sont réservés aux utilisateurs autorisés."
- [x] Request form: email input + conditional justification textarea (non-ERG only)
- [x] JS: shows/hides justification textarea based on email domain (@erg.school / @erg.be)
- [x] Form submits via fetch POST to /request-access.php with CSRF token
- [x] Metadata, title, authors, synopsis all remain visible regardless of restriction
### 4. Email Flow
- [x] @erg.school / @erg.be → auto-approve, generate 24h one-time token, send email immediately
- [x] External email → create pending request, notify admin by email
- [x] Admin approves → generate 24h token, send email to requester
- [x] Email contains link to GET /validate-access (confirmation page) → POST to redeem
### 5. Secure Token Redemption
- [x] One-time email token (24h, marked used_at on first click, is_valid=0)
- [x] GET /validate-access → shows confirmation page (no side effects)
- [x] POST /validate-access → redeems token (CSRF required), creates browser session cookie
- [x] Cookie: HttpOnly; Secure; SameSite=Strict; 30 days
- [x] Session stored in file_access_sessions (separate from one-time email token)
- [x] TfeController checks file_access_sessions via hasValidCookieAccess()
- [x] Audit trail: IP, User-Agent, timestamp in file_access_audit on every redemption attempt
### 6. Admin Panel - Access Requests Management
- [x] Admin page: /admin/file-access.php (linked from admin nav with pending badge)
- [x] List pending/approved/rejected requests with tab filters and pagination
- [x] Approve dialog (with optional note) → sends 24h access email
- [x] Reject dialog (with optional note)
- [x] Bug fix: $vars was never extract()ed — page was blank
- [x] Bug fix: template included head.php/header.php/footer.php itself (double-include)
- [x] Bug fix: admin approval URL used $requestId instead of $request['thesis_id']
### 7. Security
- [x] One-time use tokens (used_at + is_valid=0)
- [x] POST-based redemption (token in hidden form field, not URL action)
- [x] 256-bit random tokens, rate limiting on request submission (3/10min per IP)
- [x] HttpOnly cookie + SameSite=Strict
- [x] CSRF on all mutations
- [x] Audit trail (IP, UA, event, timestamp)
- [x] Short-lived email links (24h), long-lived browser sessions (30 days)
- [x] App::boot() starts session for all public requests (CSRF token available everywhere)
- [x] Add live file preview to `file-field.php` partial (`data-preview` attribute + `.file-preview-list` container)
- [x] Write `file-preview.js` — renders thumbnails for images, emoji icons for PDFs/videos/zips, filename + size
- [x] Load `file-preview.js` in `admin/add.php` via `$extraJs`
- [x] Load `file-preview.js` in `admin/edit.php` via `$extraJs`
- [x] Load `file-preview.js` in `partage/index.php` (self-contained HTML, direct `<script>` tag)
- [x] Support `$extraJs` in `head.php`
- [x] Add `data-preview` + preview container to edit template's cover/banner/files inputs (not using partial)
- [x] Enhance `admin/recapitulatif.php` template — image thumbnails, clickable filenames, type badges, file size, date
- [x] Rewrite `partage/recapitulatif.php` — full recap with thesis metadata + uploaded files list (thumbnails for images, icons for others)
- [x] Add CSS: `.file-preview-list`, `.fp-item`, `.fp-thumb`, `.fp-icon`, `.fp-meta`, `.fp-name`, `.fp-size`
- [x] Add CSS: `.recap-file-list`, `.recap-file-item`, `.recap-file-thumb`, `.recap-file-icon`, `.recap-file-meta`, `.recap-file-type-badge`, `.recap-file-date`
- [x] Add CSS: `.partage-recap`, `.recap-section`, `.recap-dl` for partage recap layout