PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-26 00:29:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

maintenance: allow /partage through gate, fix fragment routing, add visibility table in admin

Browse Source 
Extract shared filepond logic into src/FilepondHandler.php class.
Admin filepond endpoints delegate to the handler after AdminAuth check.
New partage filepond endpoints at /partage/actions/filepond/ verify
share_active session flag + CSRF token, no admin auth required.

JS reads filepond-base meta tag to determine endpoint path:
- Admin pages: /admin/actions/filepond (via head.php isAdmin check)
- Partage form: /partage/actions/filepond (explicit meta)

partage/index.php sets share_active = true on form render, cleans up on
successful submit. Partage process endpoint rate-limited to 30/5min per
session. No nginx changes needed — /partage/ location already handles
PHP without auth_basic.
This commit is contained in:
Pontoporeia
2026-05-12 15:19:32 +02:00
parent da153fc604
commit 6f7a02244f
22 changed files with 15010 additions and 532 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
app/public/admin/actions/filepond/load.php
View File

@@ -1,6 +1,6 @@
<?php
/**
* FilePond load endpoint — streams an existing thesis file back to FilePond.
* FilePond load endpoint — streams an existing thesis file back to FilePond (admin).
*
* GET /admin/actions/filepond/load.php?id={db_id}
*
@@ -9,77 +9,10 @@
require_once __DIR__ . '/../../../../bootstrap.php';
require_once __DIR__ . '/../../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../../src/ErrorHandler.php';
require_once __DIR__ . '/../../../../src/FilepondHandler.php';
// ── Auth (admin only) ────────────────────────────────────────────────────
AdminAuth::requireLogin();
// ── Only accept GET ──────────────────────────────────────────────────────
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
http_response_code(405);
die('Méthode non autorisée.');
}
// ── Validate db_id ───────────────────────────────────────────────────────
$dbId = filter_var($_GET['id'] ?? '', FILTER_VALIDATE_INT);
if ($dbId === false || $dbId <= 0) {
http_response_code(400);
die('ID invalide.');
}
// ── Look up file in DB (validation of thesis ownership is implicit via admin auth + DB lookup) ──
require_once APP_ROOT . '/src/Database.php';
$db = new Database();
// Fetch thesis_files row by its own primary key
$pdo = $db->getConnection();
$stmt = $pdo->prepare('SELECT * FROM thesis_files WHERE id = ?');
$stmt->execute([$dbId]);
$fileRow = $stmt->fetch();
if (!$fileRow) {
http_response_code(404);
die('Fichier introuvable.');
}
$filePath = $fileRow['file_path'] ?? '';
$fileName = $fileRow['file_name'] ?? basename($filePath);
$mimeType = $fileRow['mime_type'] ?? 'application/octet-stream';
// ── PeerTube entries: return a placeholder SVG blob so FilePond can display them ─┐
if (str_starts_with($filePath, 'peertube_ids:')) {
$uuid = substr($filePath, strlen('peertube_ids:'));
$isVideo = ($fileRow['file_type'] ?? '') === 'video';
$svg = $isVideo
? '<svg xmlns="http://www.w3.org/2000/svg" width="180" height="120" viewBox="0 0 180 120"><rect width="180" height="120" fill="#1a1a2e"/><polygon points="70,35 70,85 125,60" fill="#e94560"/><text x="90" y="110" text-anchor="middle" font-family="sans-serif" font-size="10" fill="#aaa">PeerTube ' . htmlspecialchars($uuid) . '</text></svg>'
: '<svg xmlns="http://www.w3.org/2000/svg" width="180" height="120" viewBox="0 0 180 120"><rect width="180" height="120" fill="#1a1a2e"/><circle cx="55" cy="60" r="20" fill="none" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="48" x2="95" y2="38" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="60" x2="110" y2="60" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="72" x2="95" y2="82" stroke="#4ecca3" stroke-width="3"/><text x="90" y="110" text-anchor="middle" font-family="sans-serif" font-size="10" fill="#aaa">PeerTube ' . htmlspecialchars($uuid) . '</text></svg>';
header('Content-Type: image/svg+xml');
header('Content-Length: ' . strlen($svg));
header('Content-Disposition: inline; filename="peertube.svg"');
header('Cache-Control: no-cache');
echo $svg;
exit;
}
if (str_starts_with($filePath, 'http://') || str_starts_with($filePath, 'https://')) {
http_response_code(404);
die('URL — pas de flux direct.');
}
// ── Resolve absolute path ────────────────────────────────────────────────
$absPath = STORAGE_ROOT . '/' . $filePath;
if (!file_exists($absPath) || !is_readable($absPath)) {
http_response_code(404);
die('Fichier absent du disque.');
}
// ── Stream the file ──────────────────────────────────────────────────────
$fileSize = filesize($absPath);
// Content-Disposition: inline so FilePond receives it as a valid file
header('Content-Type: ' . $mimeType);
header('Content-Length: ' . $fileSize);
header('Content-Disposition: inline; filename="' . addslashes($fileName) . '"');
header('Cache-Control: no-cache');
readfile($absPath);
exit;
$handler = new FilepondHandler('[filepond:admin]');
$handler->handleLoad();