PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Paramètres page: consolidate maintenance + account settings

Browse Source
This commit is contained in:
Pontoporeia
2026-04-08 15:06:51 +02:00
parent ba135f0cb5
commit 603af07b68
8 changed files with 262 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
public/admin/actions/account.php
View File

@@ -23,15 +23,18 @@ $action = $_POST['action'] ?? 'change_password';
// ── Remove credentials ────────────────────────────────────────────────────────
if ($action === 'remove_credentials') {
$backUrl = $_POST['redirect'] ?? '/admin/parametres.php';
if (!preg_match('#^/admin/#', $backUrl)) { $backUrl = '/admin/parametres.php'; }
if (!$hasPassword) {
App::flash('error', 'Aucun fichier de mot de passe à supprimer.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
if (!is_writable($credentialsFile) && !is_writable(dirname($credentialsFile))) {
App::flash('error', 'Le fichier de configuration n\'est pas accessible en écriture.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
@@ -42,7 +45,7 @@ if ($action === 'remove_credentials') {
exit;
} else {
App::flash('error', 'Impossible de supprimer le fichier de configuration.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
}
@@ -50,11 +53,14 @@ if ($action === 'remove_credentials') {
// ── Change / set password ─────────────────────────────────────────────────────
// 1. If a password is already set, verify the current one.
$backUrl = $_POST['redirect'] ?? '/admin/parametres.php';
if (!preg_match('#^/admin/#', $backUrl)) { $backUrl = '/admin/parametres.php'; }
if ($hasPassword) {
$currentPassword = $_POST['current_password'] ?? '';
if (!AdminAuth::login($currentPassword)) {
App::flash('error', 'Mot de passe actuel incorrect.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
}
@@ -65,13 +71,13 @@ $confirmPassword = $_POST['confirm_password'] ?? '';
if (strlen($newPassword) < 12) {
App::flash('error', 'Le nouveau mot de passe doit contenir au moins 12 caractères.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
if ($newPassword !== $confirmPassword) {
App::flash('error', 'Les mots de passe ne correspondent pas.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
@@ -79,7 +85,7 @@ if ($newPassword !== $confirmPassword) {
$hash = password_hash($newPassword, PASSWORD_BCRYPT, ['cost' => 12]);
if ($hash === false) {
App::flash('error', 'Erreur lors du hachage du mot de passe.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
@@ -100,13 +106,13 @@ $tmpFile = $credentialsFile . '.tmp.' . bin2hex(random_bytes(6));
if (file_put_contents($tmpFile, $configContent, LOCK_EX) === false) {
@unlink($tmpFile);
App::flash('error', 'Impossible d\'écrire le fichier de configuration. Vérifiez les permissions sur config/.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
if (!rename($tmpFile, $credentialsFile)) {
@unlink($tmpFile);
App::flash('error', 'Impossible de mettre à jour le fichier de configuration.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;
}
@@ -118,5 +124,5 @@ App::flash('success', $hasPassword
? 'Mot de passe mis à jour avec succès.'
: 'Mot de passe défini avec succès. L\'authentification PHP est maintenant active.');
header('Location: /admin/account.php');
header('Location: ' . $backUrl);
exit;

7
public/admin/actions/maintenance.php
View File

@@ -24,5 +24,10 @@ if ($action === 'enable_maintenance') {
App::flash('error', "Action inconnue.");
}
header('Location: /admin/');
$redirect = isset($_POST['redirect']) ? $_POST['redirect'] : '/admin/';
// Allow only internal admin redirects for safety
if (!preg_match('#^/admin/#', $redirect)) {
$redirect = '/admin/';
}
header('Location: ' . $redirect);
exit();

23
public/admin/index.php
View File

@@ -76,29 +76,6 @@ document.addEventListener('DOMContentLoaded', () => {
<?php include APP_ROOT . '/templates/partials/flash-messages.php'; ?>
<!-- Maintenance mode toggle -->
<?php $maintenanceOn = file_exists(APP_ROOT . '/storage/maintenance.flag'); ?>
<aside role="status" class="admin-maintenance-bar <?= $maintenanceOn ? 'admin-maintenance-bar--active' : '' ?>" aria-label="Statut du site">
<?php if ($maintenanceOn): ?>
<span>⚠ Mode maintenance <strong>activé</strong> — le site public est inaccessible.</span>
<form method="post" action="actions/maintenance.php">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="action" value="disable_maintenance">
<button type="submit" class="admin-btn admin-btn--sm">Désactiver la maintenance</button>
</form>
<?php else: ?>
<span>Site public : <strong>en ligne</strong></span>
<form method="post" action="actions/maintenance.php">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="action" value="enable_maintenance">
<button type="submit" class="admin-btn admin-btn--sm admin-btn--warning"
onclick="return confirm('Mettre le site en maintenance ? Les visiteurs verront une page 503.')">
Activer la maintenance
</button>
</form>
<?php endif; ?>
</aside>
<!-- Stats (always reflects full DB, independent of active filters) -->
<dl class="admin-stats">
<div class="admin-stat">

151
public/admin/parametres.php Normal file
View File

@@ -0,0 +1,151 @@
<?php
require_once __DIR__ . "/../../config/bootstrap.php";
require_once __DIR__ . '/../../src/AdminAuth.php';
AdminAuth::requireLogin();
$pageTitle = "Paramètres";
$credentialsFile = APP_ROOT . '/config/admin_credentials.php';
$hasPassword = defined('ADMIN_PASSWORD_HASH');
$maintenanceOn = file_exists(APP_ROOT . '/storage/maintenance.flag');
if (empty($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
?>
<?php $isAdmin = true; $bodyClass = 'admin-body'; require_once APP_ROOT . '/templates/head.php'; ?>
<?php include APP_ROOT . '/templates/header.php'; ?>
<main id="main-content">
<h1>Paramètres</h1>
<?php include APP_ROOT . '/templates/partials/flash-messages.php'; ?>
<!-- ══════════════════════════════════════════════════════════════
SECTION 1 — Maintenance
══════════════════════════════════════════════════════════════ -->
<section class="admin-settings-section" aria-labelledby="settings-maintenance-title">
<h2 class="admin-settings-section__title" id="settings-maintenance-title">Maintenance</h2>
<div class="admin-maintenance-status <?= $maintenanceOn ? 'admin-maintenance-status--active' : '' ?>">
<?php if ($maintenanceOn): ?>
<p class="admin-maintenance-status__msg">
<strong>⚠ Mode maintenance activé</strong> — le site public est inaccessible.
</p>
<form method="post" action="actions/maintenance.php">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="action" value="disable_maintenance">
<input type="hidden" name="redirect" value="/admin/parametres.php">
<button type="submit" class="admin-btn admin-btn--sm">Désactiver la maintenance</button>
</form>
<?php else: ?>
<p class="admin-maintenance-status__msg">
Site public : <strong>en ligne</strong>
</p>
<form method="post" action="actions/maintenance.php">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="action" value="enable_maintenance">
<input type="hidden" name="redirect" value="/admin/parametres.php">
<button type="submit" class="admin-btn admin-btn--sm admin-btn--warning"
onclick="return confirm('Mettre le site en maintenance ? Les visiteurs verront une page 503.')">
Activer la maintenance
</button>
</form>
<?php endif; ?>
</div>
</section>
<!-- ══════════════════════════════════════════════════════════════
SECTION 2 — Compte administrateur
══════════════════════════════════════════════════════════════ -->
<section class="admin-settings-section" aria-labelledby="settings-account-title">
<h2 class="admin-settings-section__title" id="settings-account-title">Compte administrateur</h2>
<!-- Status info -->
<dl class="admin-account-status">
<div class="admin-account-status__row">
<dt class="admin-account-status__label">Authentification PHP</dt>
<dd><?php $badgeType = 'ok'; $badgeValue = $hasPassword; $badgeOkLabel = 'Active'; $badgeWarnLabel = 'Non configurée'; include APP_ROOT . '/templates/partials/status-badge.php'; ?></dd>
</div>
<div class="admin-account-status__row">
<dt class="admin-account-status__label">Fichier de configuration</dt>
<dd>
<code class="admin-account-status__code">config/admin_credentials.php</code>
<?php $badgeType = 'ok'; $badgeValue = file_exists($credentialsFile); $badgeOkLabel = 'Présent'; $badgeWarnLabel = 'Absent'; include APP_ROOT . '/templates/partials/status-badge.php'; ?>
</dd>
</div>
<?php if (!$hasPassword): ?>
<p class="admin-account-status__note">
Aucun mot de passe PHP configuré. Le formulaire ci-dessous créera
<code>config/admin_credentials.php</code> avec un hash bcrypt.
</p>
<?php endif; ?>
</dl>
<!-- Password change form -->
<h3 class="admin-section-title"><?= $hasPassword ? 'Changer le mot de passe' : 'Définir le mot de passe' ?></h3>
<form method="post" action="/admin/actions/account.php" class="admin-form" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="redirect" value="/admin/parametres.php">
<?php if ($hasPassword): ?>
<div>
<label for="current_password">Mot de passe actuel</label>
<div>
<input type="password" id="current_password"
name="current_password" required autocomplete="current-password">
</div>
</div>
<?php endif; ?>
<div>
<label for="new_password">Nouveau mot de passe</label>
<div>
<input type="password" id="new_password"
name="new_password" required autocomplete="new-password"
minlength="12">
<small>Minimum 12 caractères.</small>
</div>
</div>
<div>
<label for="confirm_password">Confirmer le mot de passe</label>
<div>
<input type="password" id="confirm_password"
name="confirm_password" required autocomplete="new-password">
</div>
</div>
<div class="admin-form-footer">
<button type="submit" class="admin-btn">
<?= $hasPassword ? 'Mettre à jour le mot de passe' : 'Définir le mot de passe' ?>
</button>
</div>
</form>
<?php if ($hasPassword): ?>
<!-- Danger zone: remove password -->
<h3 class="admin-section-title admin-section-title--danger">Zone de danger</h3>
<div class="admin-danger-zone">
<p class="admin-danger-zone__description">
<strong>Supprimer la configuration du mot de passe PHP</strong><br>
<small>
Supprime <code>config/admin_credentials.php</code>. L'accès admin
dépendra uniquement de l'authentification nginx Basic Auth si elle est configurée.
</small>
</p>
<form method="post" action="/admin/actions/account.php"
onsubmit="return confirm('Supprimer le fichier de mot de passe PHP ? L\'accès admin ne sera protégé que par nginx Basic Auth.')">
<input type="hidden" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
<input type="hidden" name="action" value="remove_credentials">
<input type="hidden" name="redirect" value="/admin/parametres.php">
<input type="hidden" name="current_password_remove" id="current_password_remove" value="">
<button type="submit" class="admin-btn admin-btn--danger">Supprimer le fichier</button>
</form>
</div>
<?php endif; ?>
</section>
</main>
<?php require_once APP_ROOT . '/templates/admin/footer.php'; ?>