PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: password-protected share links never load form after password entry

Browse Source 
The main GET handler in partage/index.php always showed the password gate
for links with password_hash set, even after successful verification. The
session flag share_verified_<slug> was being set by requirePasswordGate()
but never checked when deciding whether to re-show the gate.

Added a check: if the session flag is already set, skip the gate and
render the form directly.

Also added error_log() calls throughout the password flow to help
diagnose future issues.
This commit is contained in:
Pontoporeia
2026-05-07 20:58:15 +02:00
parent 03121d6b7e
commit 9dc7ea98f2
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
TODO.md
View File

@@ -1,5 +1,9 @@
# XAMXAM TODO # XAMXAM TODO
## Fix password-protected share links — form never loads after password entry
- [x] `partage/index.php` — main GET handler: check `$_SESSION['share_verified_' . $slug]` before showing password gate; skip to form if already verified
- [x] `partage/index.php` — add `error_log()` calls throughout password flow (gate entry, hash state, verification result, session check) for debugging
## Merge apropos editables into À propos page + remove charte + source code URL ## Merge apropos editables into À propos page + remove charte + source code URL
- [x] `actions/apropos.php` — only `contacts`; removed credits, erg_url - [x] `actions/apropos.php` — only `contacts`; removed credits, erg_url
- [x] `actions/page.php` — remove `charte` from allowed slugs - [x] `actions/page.php` — remove `charte` from allowed slugs

16
app/public/partage/index.php
View File

@@ -72,8 +72,17 @@ if (!$validationResult['valid']) {
} }
if ($reason === 'needs_password') { if ($reason === 'needs_password') {
// If already verified in session, skip the gate and render the form directly
if (!empty($_SESSION['share_verified_' . $slug])) {
error_log('[ShareLink] Session already verified for slug=' . $slug . ', rendering form');
$link = $validationResult['link'];
renderShareLinkForm($slug, $link);
exit;
}
// Show password gate // Show password gate
$link = $validationResult['link']; $link = $validationResult['link'];
error_log('[ShareLink] Password gate triggered for slug=' . $slug . ', method=' . $_SERVER['REQUEST_METHOD']);
requirePasswordGate($link, $slug); requirePasswordGate($link, $slug);
exit; exit;
} }
@@ -129,13 +138,20 @@ function requirePasswordGate(array $link, string $slug): void
require_once APP_ROOT . '/src/ShareLink.php'; require_once APP_ROOT . '/src/ShareLink.php';
$shareLinkModel = new ShareLink(Database::getInstance()); $shareLinkModel = new ShareLink(Database::getInstance());
error_log('[ShareLink] Password verification attempt for slug=' . $slug . ', submitted_password_len=' . strlen($_POST['share_password']));
$hashFromDb = $link['password_hash'] ?? null;
error_log('[ShareLink] Link password_hash from DB: ' . ($hashFromDb !== null ? 'present (len=' . strlen($hashFromDb) . ')' : 'null'));
if ($shareLinkModel->verifyPassword($link, $_POST['share_password'])) { if ($shareLinkModel->verifyPassword($link, $_POST['share_password'])) {
// Store verified status in session // Store verified status in session
$_SESSION['share_verified_' . $slug] = true; $_SESSION['share_verified_' . $slug] = true;
error_log('[ShareLink] Password verified OK for slug=' . $slug . ', redirecting to form');
// Redirect to clear POST data // Redirect to clear POST data
header('Location: /partage/' . $slug); header('Location: /partage/' . $slug);
exit; exit;
} else { } else {
error_log('[ShareLink] Password verification FAILED for slug=' . $slug);
$_SESSION['_flash_error'] = 'Mot de passe incorrect.'; $_SESSION['_flash_error'] = 'Mot de passe incorrect.';
header('Location: /partage/' . $slug); header('Location: /partage/' . $slug);
exit; exit;