From 48da914bc8e9a73352113344eb53fc16c6338dda Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Sun, 10 May 2026 23:40:27 +0200
Subject: [PATCH] fix: obfuscate email in contact links, raise rate limits,
 make Libre toggleable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- about.php: use EmailObfuscator::email() for contact email link text instead of htmlspecialchars
- SearchController: raise rate limit from 30 to 300 req/min
- request-access.php: raise rate limit from 3 to 30 req/10min
- partage/index.php: raise rate limit from 5 to 50 req/10min
- contenus.php: make Libre option toggleable (remove disabled class), move to top of Degré d'ouverture, remove temporary note about next academic year
---
 TODO.md                                  |  3 +++
 app/public/partage/index.php             |  2 +-
 app/public/request-access.php            |  2 +-
 app/src/Controllers/SearchController.php |  2 +-
 app/templates/admin/acces.php            | 13 +++++++++++++
 app/templates/admin/contenus.php         | 19 +++++++++----------
 app/templates/public/about.php           |  2 +-
 7 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/TODO.md b/TODO.md
index 86e0759..be7fb0e 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,8 @@
 # TODO
 
+- [x] Fix email addresses in about.php contacts section not using EmailObfuscator for link text
+- [x] Raise rate limits: SearchController 30→300, request-access 3→30, partage 5→50
+- [x] Make Libre option toggleable in Degré d'ouverture fieldset, move to top, remove temporary note
 - [x] Improve recapitulatif.php (partage): bottom margin/padding, center .thanks-success
 - [x] Display ALL submitted info in recapitulatif page + email recap
 - [x] Add "validate your info / contact xamxam@erg.be" note on recap page
diff --git a/app/public/partage/index.php b/app/public/partage/index.php
index 870686d..028964b 100644
--- a/app/public/partage/index.php
+++ b/app/public/partage/index.php
@@ -471,7 +471,7 @@ function handleShareLinkSubmission(string $slug): void
     // 5 submissions per IP per 10 minutes, keyed per share link.
     $rateLimitCacheDir = STORAGE_ROOT . '/cache/rate_limit';
     $shareRateLimitId  = 'share_' . $slug . '_' . ($_SERVER['REMOTE_ADDR'] ?? 'unknown');
-    $rateLimit         = new RateLimit(5, 600, $rateLimitCacheDir);
+    $rateLimit         = new RateLimit(50, 600, $rateLimitCacheDir);
 
     if (!$rateLimit->checkKey($shareRateLimitId)) {
         $_SESSION['_flash_error'] = 'Trop de tentatives. Veuillez réessayer plus tard.';
diff --git a/app/public/request-access.php b/app/public/request-access.php
index b29a683..a094b92 100644
--- a/app/public/request-access.php
+++ b/app/public/request-access.php
@@ -88,7 +88,7 @@ if ($accessTypeId !== 2) {
 
 // Rate limiting: max 3 requests per 10 minutes per IP
 $rateLimitKey = 'access_request_' . ($_SERVER['REMOTE_ADDR'] ?? 'unknown');
-if (!(new RateLimit(3, 600))->checkKey($rateLimitKey)) {
+if (!(new RateLimit(30, 600))->checkKey($rateLimitKey)) {
     http_response_code(429);
     echo json_encode(['success' => false, 'message' => 'Trop de requêtes. Veuillez réessayer dans quelques minutes.']);
     exit;
diff --git a/app/src/Controllers/SearchController.php b/app/src/Controllers/SearchController.php
index d355bcb..8f957cc 100644
--- a/app/src/Controllers/SearchController.php
+++ b/app/src/Controllers/SearchController.php
@@ -22,7 +22,7 @@
  */
 class SearchController
 {
-    private const RATE_LIMIT_MAX = 30;
+    private const RATE_LIMIT_MAX = 300;
     private const RATE_LIMIT_WINDOW = 60; // seconds
     private const ITEMS_PER_PAGE = 30;
 
diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php
index 14cea5e..5e5d743 100644
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -532,6 +532,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: ryqustol a5179270 "import dialog: add Terminé button, fix padding, make success permanent, avoid POST resend" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
+++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: ryqustol a5179270 "import dialog: add Terminé button, fix padding, make success permanent, avoid POST resend" (rebased revision)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+-                        $linkName = $link['name'] ?? '';
+-                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: nqmqrqmo 2b244c73 "fix: obfuscate email in contact links, raise rate limits, make Libre toggleable" (rebased revision)
+                         $linkName = $link['name'] ?? '';
+                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+                         $linkLockedYear = $link['locked_year'] ?? null;
++%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
++\\\\\\\        to: nqmqrqmo dd511b0d "fix: obfuscate email in contact links, raise rate limits, make Libre toggleable" (rebased revision)
+++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                     ?>
                     <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">
diff --git a/app/templates/admin/contenus.php b/app/templates/admin/contenus.php
index ebf9615..0bd3c59 100644
--- a/app/templates/admin/contenus.php
+++ b/app/templates/admin/contenus.php
@@ -108,18 +108,17 @@
             <fieldset>
                 <legend>Degré d'ouverture</legend>
                 <p>Options de visibilité disponibles dans le formulaire d'ajout de TFE.</p>
-                <p class="param-note">L'option <strong>Libre</strong> ne sera activée qu'à partir de l'année académique prochaine.</p>
 
                 <form method="post" action="actions/settings.php" class="param-form">
                     <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
                     <input type="hidden" name="section" value="formulaire">
 
                     <label class="param-checkbox">
-                        <input type="checkbox" name="access_type_interdit_enabled" value="1"
-                               <?= ($siteSettings['access_type_interdit_enabled'] ?? '1') === '1' ? 'checked' : '' ?>>
+                        <input type="checkbox" name="access_type_libre_enabled" value="1"
+                               <?= ($siteSettings['access_type_libre_enabled'] ?? '0') === '1' ? 'checked' : '' ?>>
                         <span>
-                            <strong>Interdit</strong><br>
-                            <small>TFE non disponible en physique ni sur le site</small>
+                            <strong>Libre</strong><br>
+                            <small>Libre accès — TFE accessible publiquement sur la plateforme et en bibliothèque</small>
                         </span>
                     </label>
 
@@ -132,12 +131,12 @@
                         </span>
                     </label>
 
-                    <label class="param-checkbox param-checkbox--disabled">
-                        <input type="checkbox" name="access_type_libre_enabled" value="1"
-                               <?= ($siteSettings['access_type_libre_enabled'] ?? '0') === '1' ? 'checked' : '' ?>>
+                    <label class="param-checkbox">
+                        <input type="checkbox" name="access_type_interdit_enabled" value="1"
+                               <?= ($siteSettings['access_type_interdit_enabled'] ?? '1') === '1' ? 'checked' : '' ?>>
                         <span>
-                            <strong>Libre</strong><br>
-                            <small>Libre accès — disponible à partir de l'année académique prochaine</small>
+                            <strong>Interdit</strong><br>
+                            <small>TFE non disponible en physique ni sur le site</small>
                         </span>
                     </label>
 
diff --git a/app/templates/public/about.php b/app/templates/public/about.php
index b67383f..2e5e8df 100644
--- a/app/templates/public/about.php
+++ b/app/templates/public/about.php
@@ -83,7 +83,7 @@ function renderEntries(array $entries): string
                             fn($e) => !empty($e),
                         );
                         foreach ($emails as $email): ?>
-                        <a href="<?= EmailObfuscator::mailto($email) ?>"><?= htmlspecialchars($email) ?></a>
+                        <a href="<?= EmailObfuscator::mailto($email) ?>"><?= EmailObfuscator::email($email) ?></a>
                         <?php endforeach;
                         ?>
                     </address>