Add Paramètres page: consolidate maintenance + account settings

2026-05-06 19:19:19 +02:00 · 2026-04-08 15:06:51 +02:00
parent ba135f0cb5
commit 603af07b68
8 changed files with 262 additions and 35 deletions
--- a/public/admin/actions/account.php
+++ b/public/admin/actions/account.php
@@ -23,15 +23,18 @@ $action          = $_POST['action'] ?? 'change_password';

 // ── Remove credentials ────────────────────────────────────────────────────────
 if ($action === 'remove_credentials') {
+    $backUrl = $_POST['redirect'] ?? '/admin/parametres.php';
+    if (!preg_match('#^/admin/#', $backUrl)) { $backUrl = '/admin/parametres.php'; }
+
    if (!$hasPassword) {
        App::flash('error', 'Aucun fichier de mot de passe à supprimer.');
-        header('Location: /admin/account.php');
+        header('Location: ' . $backUrl);
        exit;
    }

    if (!is_writable($credentialsFile) && !is_writable(dirname($credentialsFile))) {
        App::flash('error', 'Le fichier de configuration n\'est pas accessible en écriture.');
-        header('Location: /admin/account.php');
+        header('Location: ' . $backUrl);
        exit;
    }

@@ -42,7 +45,7 @@ if ($action === 'remove_credentials') {
        exit;
    } else {
        App::flash('error', 'Impossible de supprimer le fichier de configuration.');
-        header('Location: /admin/account.php');
+        header('Location: ' . $backUrl);
        exit;
    }
 }
@@ -50,11 +53,14 @@ if ($action === 'remove_credentials') {
 // ── Change / set password ─────────────────────────────────────────────────────

 // 1. If a password is already set, verify the current one.
+$backUrl = $_POST['redirect'] ?? '/admin/parametres.php';
+if (!preg_match('#^/admin/#', $backUrl)) { $backUrl = '/admin/parametres.php'; }
+
 if ($hasPassword) {
    $currentPassword = $_POST['current_password'] ?? '';
    if (!AdminAuth::login($currentPassword)) {
        App::flash('error', 'Mot de passe actuel incorrect.');
-        header('Location: /admin/account.php');
+        header('Location: ' . $backUrl);
        exit;
    }
 }
@@ -65,13 +71,13 @@ $confirmPassword = $_POST['confirm_password'] ?? '';

 if (strlen($newPassword) < 12) {
    App::flash('error', 'Le nouveau mot de passe doit contenir au moins 12 caractères.');
-    header('Location: /admin/account.php');
+    header('Location: ' . $backUrl);
    exit;
 }

 if ($newPassword !== $confirmPassword) {
    App::flash('error', 'Les mots de passe ne correspondent pas.');
-    header('Location: /admin/account.php');
+    header('Location: ' . $backUrl);
    exit;
 }

@@ -79,7 +85,7 @@ if ($newPassword !== $confirmPassword) {
 $hash = password_hash($newPassword, PASSWORD_BCRYPT, ['cost' => 12]);
 if ($hash === false) {
    App::flash('error', 'Erreur lors du hachage du mot de passe.');
-    header('Location: /admin/account.php');
+    header('Location: ' . $backUrl);
    exit;
 }

@@ -100,13 +106,13 @@ $tmpFile = $credentialsFile . '.tmp.' . bin2hex(random_bytes(6));
 if (file_put_contents($tmpFile, $configContent, LOCK_EX) === false) {
    @unlink($tmpFile);
    App::flash('error', 'Impossible d\'écrire le fichier de configuration. Vérifiez les permissions sur config/.');
-    header('Location: /admin/account.php');
+    header('Location: ' . $backUrl);
    exit;
 }
 if (!rename($tmpFile, $credentialsFile)) {
    @unlink($tmpFile);
    App::flash('error', 'Impossible de mettre à jour le fichier de configuration.');
-    header('Location: /admin/account.php');
+    header('Location: ' . $backUrl);
    exit;
 }

@@ -118,5 +124,5 @@ App::flash('success', $hasPassword
    ? 'Mot de passe mis à jour avec succès.'
    : 'Mot de passe défini avec succès. L\'authentification PHP est maintenant active.');

-header('Location: /admin/account.php');
+header('Location: ' . $backUrl);
 exit;
--- a/public/admin/actions/maintenance.php
+++ b/public/admin/actions/maintenance.php
@@ -24,5 +24,10 @@ if ($action === 'enable_maintenance') {
    App::flash('error', "Action inconnue.");
 }

-header('Location: /admin/');
+$redirect = isset($_POST['redirect']) ? $_POST['redirect'] : '/admin/';
+// Allow only internal admin redirects for safety
+if (!preg_match('#^/admin/#', $redirect)) {
+    $redirect = '/admin/';
+}
+header('Location: ' . $redirect);
 exit();
--- a/public/admin/index.php
+++ b/public/admin/index.php
@@ -76,29 +76,6 @@ document.addEventListener('DOMContentLoaded', () => {

    <?php include APP_ROOT . '/templates/partials/flash-messages.php'; ?>

-    <!-- Maintenance mode toggle -->
-    <?php $maintenanceOn = file_exists(APP_ROOT . '/storage/maintenance.flag'); ?>
-    <aside role="status" class="admin-maintenance-bar <?= $maintenanceOn ? 'admin-maintenance-bar--active' : '' ?>" aria-label="Statut du site">
-        <?php if ($maintenanceOn): ?>
-            <span>⚠ Mode maintenance <strong>activé</strong> — le site public est inaccessible.</span>
-            <form method="post" action="actions/maintenance.php">
-                <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
-                <input type="hidden" name="action" value="disable_maintenance">
-                <button type="submit" class="admin-btn admin-btn--sm">Désactiver la maintenance</button>
-            </form>
-        <?php else: ?>
-            <span>Site public : <strong>en ligne</strong></span>
-            <form method="post" action="actions/maintenance.php">
-                <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
-                <input type="hidden" name="action" value="enable_maintenance">
-                <button type="submit" class="admin-btn admin-btn--sm admin-btn--warning"
-                        onclick="return confirm('Mettre le site en maintenance ? Les visiteurs verront une page 503.')">
-                    Activer la maintenance
-                </button>
-            </form>
-        <?php endif; ?>
-    </aside>
-
    <!-- Stats (always reflects full DB, independent of active filters) -->
    <dl class="admin-stats">
        <div class="admin-stat">
--- a/public/admin/parametres.php
+++ b/public/admin/parametres.php
@@ -0,0 +1,151 @@
+<?php
+require_once __DIR__ . "/../../config/bootstrap.php";
+require_once __DIR__ . '/../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+$pageTitle = "Paramètres";
+
+$credentialsFile = APP_ROOT . '/config/admin_credentials.php';
+$hasPassword     = defined('ADMIN_PASSWORD_HASH');
+$maintenanceOn   = file_exists(APP_ROOT . '/storage/maintenance.flag');
+
+if (empty($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+?>
+<?php $isAdmin = true; $bodyClass = 'admin-body'; require_once APP_ROOT . '/templates/head.php'; ?>
+    <?php include APP_ROOT . '/templates/header.php'; ?>
+
+<main id="main-content">
+    <h1>Paramètres</h1>
+
+    <?php include APP_ROOT . '/templates/partials/flash-messages.php'; ?>
+
+    <!-- ══════════════════════════════════════════════════════════════
+         SECTION 1 — Maintenance
+    ══════════════════════════════════════════════════════════════ -->
+    <section class="admin-settings-section" aria-labelledby="settings-maintenance-title">
+        <h2 class="admin-settings-section__title" id="settings-maintenance-title">Maintenance</h2>
+
+        <div class="admin-maintenance-status <?= $maintenanceOn ? 'admin-maintenance-status--active' : '' ?>">
+            <?php if ($maintenanceOn): ?>
+                <p class="admin-maintenance-status__msg">
+                    <strong>⚠ Mode maintenance activé</strong> — le site public est inaccessible.
+                </p>
+                <form method="post" action="actions/maintenance.php">
+                    <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                    <input type="hidden" name="action" value="disable_maintenance">
+                    <input type="hidden" name="redirect" value="/admin/parametres.php">
+                    <button type="submit" class="admin-btn admin-btn--sm">Désactiver la maintenance</button>
+                </form>
+            <?php else: ?>
+                <p class="admin-maintenance-status__msg">
+                    Site public : <strong>en ligne</strong>
+                </p>
+                <form method="post" action="actions/maintenance.php">
+                    <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                    <input type="hidden" name="action" value="enable_maintenance">
+                    <input type="hidden" name="redirect" value="/admin/parametres.php">
+                    <button type="submit" class="admin-btn admin-btn--sm admin-btn--warning"
+                            onclick="return confirm('Mettre le site en maintenance ? Les visiteurs verront une page 503.')">
+                        Activer la maintenance
+                    </button>
+                </form>
+            <?php endif; ?>
+        </div>
+    </section>
+
+    <!-- ══════════════════════════════════════════════════════════════
+         SECTION 2 — Compte administrateur
+    ══════════════════════════════════════════════════════════════ -->
+    <section class="admin-settings-section" aria-labelledby="settings-account-title">
+        <h2 class="admin-settings-section__title" id="settings-account-title">Compte administrateur</h2>
+
+        <!-- Status info -->
+        <dl class="admin-account-status">
+            <div class="admin-account-status__row">
+                <dt class="admin-account-status__label">Authentification PHP</dt>
+                <dd><?php $badgeType = 'ok'; $badgeValue = $hasPassword; $badgeOkLabel = 'Active'; $badgeWarnLabel = 'Non configurée'; include APP_ROOT . '/templates/partials/status-badge.php'; ?></dd>
+            </div>
+            <div class="admin-account-status__row">
+                <dt class="admin-account-status__label">Fichier de configuration</dt>
+                <dd>
+                    <code class="admin-account-status__code">config/admin_credentials.php</code>
+                    <?php $badgeType = 'ok'; $badgeValue = file_exists($credentialsFile); $badgeOkLabel = 'Présent'; $badgeWarnLabel = 'Absent'; include APP_ROOT . '/templates/partials/status-badge.php'; ?>
+                </dd>
+            </div>
+            <?php if (!$hasPassword): ?>
+            <p class="admin-account-status__note">
+                Aucun mot de passe PHP configuré. Le formulaire ci-dessous créera
+                <code>config/admin_credentials.php</code> avec un hash bcrypt.
+            </p>
+            <?php endif; ?>
+        </dl>
+
+        <!-- Password change form -->
+        <h3 class="admin-section-title"><?= $hasPassword ? 'Changer le mot de passe' : 'Définir le mot de passe' ?></h3>
+
+        <form method="post" action="/admin/actions/account.php" class="admin-form" autocomplete="off">
+            <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+            <input type="hidden" name="redirect" value="/admin/parametres.php">
+
+            <?php if ($hasPassword): ?>
+            <div>
+                <label for="current_password">Mot de passe actuel</label>
+                <div>
+                    <input type="password" id="current_password"
+                           name="current_password" required autocomplete="current-password">
+                </div>
+            </div>
+            <?php endif; ?>
+
+            <div>
+                <label for="new_password">Nouveau mot de passe</label>
+                <div>
+                    <input type="password" id="new_password"
+                           name="new_password" required autocomplete="new-password"
+                           minlength="12">
+                    <small>Minimum 12 caractères.</small>
+                </div>
+            </div>
+
+            <div>
+                <label for="confirm_password">Confirmer le mot de passe</label>
+                <div>
+                    <input type="password" id="confirm_password"
+                           name="confirm_password" required autocomplete="new-password">
+                </div>
+            </div>
+
+            <div class="admin-form-footer">
+                <button type="submit" class="admin-btn">
+                    <?= $hasPassword ? 'Mettre à jour le mot de passe' : 'Définir le mot de passe' ?>
+                </button>
+            </div>
+        </form>
+
+        <?php if ($hasPassword): ?>
+        <!-- Danger zone: remove password -->
+        <h3 class="admin-section-title admin-section-title--danger">Zone de danger</h3>
+        <div class="admin-danger-zone">
+            <p class="admin-danger-zone__description">
+                <strong>Supprimer la configuration du mot de passe PHP</strong><br>
+                <small>
+                    Supprime <code>config/admin_credentials.php</code>. L'accès admin
+                    dépendra uniquement de l'authentification nginx Basic Auth si elle est configurée.
+                </small>
+            </p>
+            <form method="post" action="/admin/actions/account.php"
+                  onsubmit="return confirm('Supprimer le fichier de mot de passe PHP ? L\'accès admin ne sera protégé que par nginx Basic Auth.')">
+                <input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                <input type="hidden" name="action" value="remove_credentials">
+                <input type="hidden" name="redirect" value="/admin/parametres.php">
+                <input type="hidden" name="current_password_remove" id="current_password_remove" value="">
+                <button type="submit" class="admin-btn admin-btn--danger">Supprimer le fichier</button>
+            </form>
+        </div>
+        <?php endif; ?>
+    </section>
+</main>
+
+<?php require_once APP_ROOT . '/templates/admin/footer.php'; ?>
--- a/public/assets/css/admin.css
+++ b/public/assets/css/admin.css
@@ -905,6 +905,51 @@
    margin-top: var(--space-2xs);
 }

+/* ── Settings page sections ─────────────────────────────────────────────── */
+.admin-settings-section {
+    border: 1px solid var(--border-primary);
+    border-radius: 6px;
+    padding: var(--space-m) var(--space-l);
+    margin-bottom: var(--space-l);
+}
+
+.admin-settings-section__title {
+    font-size: var(--step-0);
+    font-weight: 600;
+    letter-spacing: 0.07em;
+    text-transform: uppercase;
+    color: var(--text-secondary);
+    margin: 0 0 var(--space-m);
+    padding-bottom: var(--space-2xs);
+    border-bottom: 1px solid var(--border-primary);
+}
+
+.admin-maintenance-status {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: var(--space-s);
+    background: var(--bg-secondary);
+    border: 1px solid var(--border-primary);
+    border-radius: 4px;
+    padding: var(--space-xs) var(--space-m);
+    font-size: var(--step--1);
+}
+
+.admin-maintenance-status--active {
+    background: var(--warning-muted-bg);
+    border-color: var(--warning);
+}
+
+.admin-maintenance-status__msg {
+    margin: 0;
+}
+
+.admin-maintenance-status form {
+    display: inline;
+    flex-shrink: 0;
+}
+
 /* ── Cancel link ────────────────────────────────────────────────────────── */
 .admin-cancel-link {
    font-size: var(--step--1);