security: fix all HIGH priority items from TODO.SECURITY.md

Items resolved:
- #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage).
  Uploads were previously stored in public/admin/actions/data/ which is web-accessible.
- #4 (HIGH): Align file paths and add media.php controller.
  DB paths are now storage-relative (theses/YEAR/ID/file, covers/file).
  New public/media.php serves files with path-traversal jail, MIME allow-list,
  and proper caching headers. memoire.php and search.php updated to use /media.php?path=.
  Also fixed: cover images were never recorded in thesis_files (broken INSERT).
- #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only.
  HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that
  allowed unlimited rate-limit bypass by rotating spoofed IPs.
- #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf.
  Apache .htaccess directives are silently ignored by nginx; none were active.
  CSP added to /admin/ location block, .log file denial added globally,
  autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md.

Supporting changes:
- config/bootstrap.php: add STORAGE_ROOT constant
- nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP
- docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated

public/admin/actions/formulaire.php

@@ -194,9 +194,10 @@ try {
 
     // ===== HANDLE FILE UPLOADS =====
 
-    // Create necessary directories
-    $uploadBaseDir = __DIR__ . "/data/theses/{$annee}/{$identifier}/";
-    $coverDir = __DIR__ . "/data/covers/";
+    // Create necessary directories — outside the webroot (security items #3 & #4).
+    // Files are served through /media.php, never directly via a URL path.
+    $uploadBaseDir = STORAGE_ROOT . "/theses/{$annee}/{$identifier}/";
+    $coverDir = STORAGE_ROOT . "/covers/";
 
     if (!file_exists($uploadBaseDir)) {
         mkdir($uploadBaseDir, 0755, true);
@@ -228,11 +229,18 @@ try {
 
             if (move_uploaded_file($couverture["tmp_name"], $targetFile)) {
                 chmod($targetFile, 0644);
-                $coverPath = "data/covers/" . $safeFileName;
+                // Path stored relative to STORAGE_ROOT; served via /media.php?path=...
+                $coverPath = "covers/" . $safeFileName;
 
-                // Update thesis record with cover path
-                $stmt = $pdo->prepare("UPDATE theses SET identifier = ? WHERE id = ?");
-                // Store cover path in remarks for now (we could add a cover_path column)
+                // Record cover in thesis_files (type = 'cover')
+                $db->insertThesisFile(
+                    $thesisId,
+                    'cover',
+                    $coverPath,
+                    basename($couverture["name"]),
+                    $couverture["size"],
+                    $mimeType
+                );
                 error_log("Cover image uploaded: " . $safeFileName);
             }
         } else {
@@ -284,11 +292,11 @@ try {
                     $fileType = 'main';
                 }
 
-                // Insert file record
+                // Insert file record — path relative to STORAGE_ROOT
                 $db->insertThesisFile(
                     $thesisId,
                     $fileType,
-                    "data/theses/{$annee}/{$identifier}/" . $safeFileName,
+                    "theses/{$annee}/{$identifier}/" . $safeFileName,
                     basename($files["name"][$i]),
                     $files["size"][$i],
                     $mimeType