From 9dc7ea98f252977b464144e85f6f63b4ab7eda1e Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Thu, 7 May 2026 20:58:15 +0200
Subject: [PATCH] fix: password-protected share links never load form after
 password entry

The main GET handler in partage/index.php always showed the password gate
for links with password_hash set, even after successful verification. The
session flag share_verified_<slug> was being set by requirePasswordGate()
but never checked when deciding whether to re-show the gate.

Added a check: if the session flag is already set, skip the gate and
render the form directly.

Also added error_log() calls throughout the password flow to help
diagnose future issues.
---
 TODO.md                      |  4 ++++
 app/public/partage/index.php | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/TODO.md b/TODO.md
index 73beb4d..f36a2fe 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,5 +1,9 @@
 # XAMXAM TODO
 
+## Fix password-protected share links — form never loads after password entry
+- [x] `partage/index.php` — main GET handler: check `$_SESSION['share_verified_' . $slug]` before showing password gate; skip to form if already verified
+- [x] `partage/index.php` — add `error_log()` calls throughout password flow (gate entry, hash state, verification result, session check) for debugging
+
 ## Merge apropos editables into À propos page + remove charte + source code URL
 - [x] `actions/apropos.php` — only `contacts`; removed credits, erg_url
 - [x] `actions/page.php` — remove `charte` from allowed slugs
diff --git a/app/public/partage/index.php b/app/public/partage/index.php
index 1722677..49005cf 100644
--- a/app/public/partage/index.php
+++ b/app/public/partage/index.php
@@ -72,8 +72,17 @@ if (!$validationResult['valid']) {
     }
 
     if ($reason === 'needs_password') {
+        // If already verified in session, skip the gate and render the form directly
+        if (!empty($_SESSION['share_verified_' . $slug])) {
+            error_log('[ShareLink] Session already verified for slug=' . $slug . ', rendering form');
+            $link = $validationResult['link'];
+            renderShareLinkForm($slug, $link);
+            exit;
+        }
+
         // Show password gate
         $link = $validationResult['link'];
+        error_log('[ShareLink] Password gate triggered for slug=' . $slug . ', method=' . $_SERVER['REQUEST_METHOD']);
         requirePasswordGate($link, $slug);
         exit;
     }
@@ -129,13 +138,20 @@ function requirePasswordGate(array $link, string $slug): void
         require_once APP_ROOT . '/src/ShareLink.php';
         $shareLinkModel = new ShareLink(Database::getInstance());
 
+        error_log('[ShareLink] Password verification attempt for slug=' . $slug . ', submitted_password_len=' . strlen($_POST['share_password']));
+
+        $hashFromDb = $link['password_hash'] ?? null;
+        error_log('[ShareLink] Link password_hash from DB: ' . ($hashFromDb !== null ? 'present (len=' . strlen($hashFromDb) . ')' : 'null'));
+
         if ($shareLinkModel->verifyPassword($link, $_POST['share_password'])) {
             // Store verified status in session
             $_SESSION['share_verified_' . $slug] = true;
+            error_log('[ShareLink] Password verified OK for slug=' . $slug . ', redirecting to form');
             // Redirect to clear POST data
             header('Location: /partage/' . $slug);
             exit;
         } else {
+            error_log('[ShareLink] Password verification FAILED for slug=' . $slug);
             $_SESSION['_flash_error'] = 'Mot de passe incorrect.';
             header('Location: /partage/' . $slug);
             exit;