From 7e987d281c6ccb254f82b40ad111d86122a02256 Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Mon, 11 May 2026 00:34:36 +0200
Subject: [PATCH] fix: add hx-swap="none" to admin auto-save checkboxes to
 prevent page swap

---
 app/public/admin/actions/settings.php          | 11 ++++-------
 app/templates/admin/acces.php                  | 13 +++++++++++++
 app/templates/admin/contenus.php               | 18 +++++++++---------
 ...Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html |  0
 4 files changed, 26 insertions(+), 16 deletions(-)
 rename pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html => docs/pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html (100%)

diff --git a/app/public/admin/actions/settings.php b/app/public/admin/actions/settings.php
index 2906c6d..d9bdd9d 100644
--- a/app/public/admin/actions/settings.php
+++ b/app/public/admin/actions/settings.php
@@ -100,16 +100,13 @@ if ($section === 'formulaire') {
     App::flash('error', "Section inconnue.");
 }
 
-$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
-
 if ($isHxRequest) {
-    // Return updated CSRF tokens for all three hidden inputs on the page
-    $newToken = htmlspecialchars($_SESSION['csrf_token']);
-    echo '<input type="hidden" id="csrf_token_files" value="' . $newToken . '" hx-swap-oob="true">';
-    echo '<input type="hidden" id="csrf_token_acces" value="' . $newToken . '" hx-swap-oob="true">';
-    echo '<input type="hidden" id="csrf_token_types" value="' . $newToken . '" hx-swap-oob="true">';
+    // Auto-save from contenus.php — no CSRF rotation needed (token reused until full page load).
+    // Return empty 200 so hx-swap="none" is a no-op.
+    http_response_code(200);
     exit;
 }
 
+$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 header('Location: /admin/parametres.php');
 exit;
diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php
index da7f14f..e4c78c1 100644
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -558,6 +558,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: olzzwmwr 82533c5a "feat: require 3 mots-clés in partage, language asterisk toggle, admin auto-save checkboxes" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
+++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: olzzwmwr 82533c5a "feat: require 3 mots-clés in partage, language asterisk toggle, admin auto-save checkboxes" (rebased revision)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+-                        $linkName = $link['name'] ?? '';
+-                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: nlvsnzkz bb34ea85 "fix: add hx-swap="none" to admin auto-save checkboxes to prevent page swap" (rebased revision)
+                         $linkName = $link['name'] ?? '';
+                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+                         $linkLockedYear = $link['locked_year'] ?? null;
++%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
++\\\\\\\        to: nlvsnzkz 0f4613f5 "fix: add hx-swap="none" to admin auto-save checkboxes to prevent page swap" (rebased revision)
+++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                     ?>
                     <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">
diff --git a/app/templates/admin/contenus.php b/app/templates/admin/contenus.php
index 14ffe9c..739558b 100644
--- a/app/templates/admin/contenus.php
+++ b/app/templates/admin/contenus.php
@@ -89,7 +89,7 @@
                 <legend>Restrictions d'accès aux fichiers</legend>
 
                 <div class="param-form">
-                    <input type="hidden" id="csrf_token_files" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                    <input type="hidden" id="settings-csrf" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
 
                     <label class="param-checkbox">
                         <input type="checkbox" name="restricted_files_enabled" value="1"
@@ -97,7 +97,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_files"
+                               hx-include="#settings-csrf"
                                hx-vals='{"section":"formulaire"}'>
                         <span>
                             <strong>Activer la restriction d'accès</strong><br>
@@ -112,7 +112,7 @@
                 <p>Options de visibilité disponibles dans le formulaire d'ajout de TFE.</p>
 
                 <div class="param-form">
-                    <input type="hidden" id="csrf_token_acces" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                    <input type="hidden" id="settings-csrf-acces" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
 
                     <label class="param-checkbox">
                         <input type="checkbox" name="access_type_libre_enabled" value="1"
@@ -120,7 +120,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_acces"
+                               hx-include="#settings-csrf-acces"
                                hx-vals='{"section":"formulaire"}'>
                         <span>
                             <strong>Libre</strong><br>
@@ -134,7 +134,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_acces"
+                               hx-include="#settings-csrf-acces"
                                hx-vals='{"section":"formulaire"}'>
                         <span>
                             <strong>Interne</strong><br>
@@ -148,7 +148,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_acces"
+                               hx-include="#settings-csrf-acces"
                                hx-vals='{"section":"formulaire"}'>
                         <span>
                             <strong>Interdit</strong><br>
@@ -164,7 +164,7 @@
                 <p class="param-note">Le type <strong>TFE</strong> est toujours actif et ne peut pas être désactivé.</p>
 
                 <div class="param-form">
-                    <input type="hidden" id="csrf_token_types" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
+                    <input type="hidden" id="settings-csrf-types" name="csrf_token" value="<?= htmlspecialchars($_SESSION['csrf_token']) ?>">
 
                     <label class="param-checkbox param-checkbox--disabled">
                         <input type="checkbox" disabled checked>
@@ -180,7 +180,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_types"
+                               hx-include="#settings-csrf-types"
                                hx-vals='{"section":"objet_types"}'>
                         <span>
                             <strong>Thèse</strong><br>
@@ -194,7 +194,7 @@
                                hx-post="/admin/actions/settings.php"
                                hx-trigger="change"
                                hx-swap="none"
-                               hx-include="#csrf_token_types"
+                               hx-include="#settings-csrf-types"
                                hx-vals='{"section":"objet_types"}'>
                         <span>
                             <strong>Frart</strong><br>
diff --git a/pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html b/docs/pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html
similarity index 100%
rename from pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html
rename to docs/pi-session-2026-05-10T18-42-37-234Z_019e1332-ce31-70fa-87a1-aa3495b526a9.html