mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-06-26 00:29:18 +02:00
feat: mandatory auto-generated passwords for share links + admin password copy/regeneration + password gate rate limiting
This commit is contained in:
Pontoporeia
@@ -29,7 +29,12 @@ extract($vars);
|
||||
$pageTitle = 'Accès';
|
||||
$isAdmin = true;
|
||||
$bodyClass = 'admin-body';
|
||||
$extraJs = ['/assets/js/app/clipboard.js'];
|
||||
$extraJs = ['/assets/js/app/clipboard.js', '/assets/js/app/acces-password.js'];
|
||||
|
||||
// Flash data for newly created/updated links (password display in modals)
|
||||
$newLinkSlug = $_SESSION['_flash_new_link_slug'] ?? null;
|
||||
$newLinkPassword = $_SESSION['_flash_new_link_password'] ?? null;
|
||||
unset($_SESSION['_flash_new_link_slug'], $_SESSION['_flash_new_link_password']);
|
||||
|
||||
require_once APP_ROOT . '/templates/head.php';
|
||||
echo '<link rel="stylesheet" href="/assets/css/file-access.css">';
|
||||
|
||||
@@ -26,7 +26,6 @@ $logger = AdminLogger::make();
|
||||
switch ($action) {
|
||||
case 'create':
|
||||
$name = !empty($_POST['name']) ? trim($_POST['name']) : null;
|
||||
$password = !empty($_POST['password']) ? trim($_POST['password']) : null;
|
||||
$expiresRaw = !empty($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
|
||||
$expiresAt = null;
|
||||
if ($expiresRaw) {
|
||||
@@ -39,13 +38,16 @@ switch ($action) {
|
||||
$validObjet = ['tfe', 'thèse', 'frart'];
|
||||
$selected = is_array($objetRaw) ? array_intersect($objetRaw, $validObjet) : [];
|
||||
$objetRestriction = !empty($selected) ? implode(',', $selected) : 'tfe';
|
||||
$link = $shareLink->create(1, $password, $expiresAt, $objetRestriction, $name);
|
||||
$link = $shareLink->create(1, $expiresAt, $objetRestriction, $name);
|
||||
$logger->logLinkCreate(
|
||||
$link['slug'] ?? '',
|
||||
$password !== null,
|
||||
true, // Always has password
|
||||
$expiresAt,
|
||||
$objetRestriction
|
||||
);
|
||||
// Flash the generated password and slug for display in the modal
|
||||
$_SESSION['_flash_new_link_slug'] = $link['slug'] ?? '';
|
||||
$_SESSION['_flash_new_link_password'] = $link['_plain_password'] ?? '';
|
||||
App::redirect('/admin/acces.php', success: 'Lien d\'accès créé.');
|
||||
break;
|
||||
|
||||
@@ -83,9 +85,8 @@ switch ($action) {
|
||||
case 'update':
|
||||
if ($id > 0) {
|
||||
$name = isset($_POST['name']) ? trim($_POST['name']) : null;
|
||||
$password = isset($_POST['password']) ? trim($_POST['password']) : null;
|
||||
$expiresRaw = isset($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
|
||||
$shareLink->update($id, $name, $password, $expiresRaw);
|
||||
$shareLink->update($id, $name, $expiresRaw);
|
||||
App::redirect('/admin/acces.php', success: 'Lien mis à jour.');
|
||||
} else {
|
||||
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
|
||||
|
||||
30
app/public/assets/js/app/acces-password.js
Normal file
30
app/public/assets/js/app/acces-password.js
Normal file
@@ -0,0 +1,30 @@
|
||||
/**
|
||||
* acces-password.js — copy text to clipboard helper.
|
||||
*
|
||||
* Usage:
|
||||
* copyTextToClipboard('some text')
|
||||
*
|
||||
* Provides visual feedback on the originating button.
|
||||
*/
|
||||
(function () {
|
||||
'use strict';
|
||||
|
||||
window.copyTextToClipboard = function (text) {
|
||||
if (!text) return;
|
||||
navigator.clipboard.writeText(text).then(function () {
|
||||
var btn = window.event && window.event.target ? window.event.target.closest('button') : null;
|
||||
if (btn) {
|
||||
var origTitle = btn.getAttribute('title') || '';
|
||||
var origHTML = btn.innerHTML;
|
||||
btn.setAttribute('title', '\u2713 Copi\u00e9');
|
||||
btn.innerHTML = '\u2713';
|
||||
setTimeout(function () {
|
||||
btn.setAttribute('title', origTitle);
|
||||
btn.innerHTML = origHTML;
|
||||
}, 1200);
|
||||
}
|
||||
}).catch(function () {
|
||||
// Clipboard write failed — silently ignore
|
||||
});
|
||||
};
|
||||
})();
|
||||
@@ -189,6 +189,18 @@ function requirePasswordGate(array $link, string $slug): void
|
||||
{
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['share_password'])) {
|
||||
error_log('[partage/password-gate] ENTRY | slug=' . $slug . ' | post_keys=' . implode(',', array_keys($_POST)));
|
||||
|
||||
// ── Rate limiting: 10 attempts per IP per slug per 5 minutes ──────
|
||||
require_once APP_ROOT . '/src/RateLimit.php';
|
||||
$gateRateLimitId = 'share_gate_' . $slug . '_' . ($_SERVER['REMOTE_ADDR'] ?? 'unknown');
|
||||
$gateRateLimit = new RateLimit(10, 300, STORAGE_ROOT . '/cache/rate_limit');
|
||||
if (!$gateRateLimit->checkKey($gateRateLimitId)) {
|
||||
error_log('[ShareLink] Rate limit hit for password gate slug=' . $slug);
|
||||
$_SESSION['_flash_error'] = 'Trop de tentatives. Veuillez réessayer dans quelques minutes.';
|
||||
header('Location: /partage/' . $slug);
|
||||
exit;
|
||||
}
|
||||
|
||||
require_once APP_ROOT . '/src/ShareLink.php';
|
||||
$shareLinkModel = new ShareLink(Database::getInstance());
|
||||
|
||||
|
||||
Reference in New Issue
Block a user