maintenance: allow /partage through gate, fix fragment routing, add visibility table in admin

Extract shared filepond logic into src/FilepondHandler.php class. Admin filepond endpoints delegate to the handler after AdminAuth check. New partage filepond endpoints at /partage/actions/filepond/ verify share_active session flag + CSRF token, no admin auth required. JS reads filepond-base meta tag to determine endpoint path: - Admin pages: /admin/actions/filepond (via head.php isAdmin check) - Partage form: /partage/actions/filepond (explicit meta) partage/index.php sets share_active = true on form render, cleans up on successful submit. Partage process endpoint rate-limited to 30/5min per session. No nginx changes needed — /partage/ location already handles PHP without auth_basic.
2026-06-25 16:19:19 +02:00 · 2026-05-12 15:19:32 +02:00
parent da153fc604
commit 6f7a02244f
22 changed files with 15010 additions and 532 deletions
--- a/app/templates/head.php
+++ b/app/templates/head.php
@@ -67,6 +67,9 @@
    <?php if (!empty($_SESSION['csrf_token'])): ?>
    <meta name="csrf-token" content="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
    <?php endif; ?>
+    <?php if (!empty($isAdmin) || !empty($filepondBase)): ?>
+    <meta name="filepond-base" content="<?= htmlspecialchars($filepondBase ?? '/admin/actions/filepond') ?>">
+    <?php endif; ?>
    <link rel="stylesheet" href="<?= App::assetV('/assets/css/modern-normalize.min.css') ?>">
    <link rel="stylesheet" href="<?= App::assetV('/assets/css/common.css') ?>">
    <?php foreach ($extraCss ?? [] as $css): ?>