From c3f6e8a033623431f79e577fc8ec244a0fe0b07c Mon Sep 17 00:00:00 2001
From: Pontoporeia <pontoporeia@happyngreen.fr>
Date: Mon, 11 May 2026 16:55:58 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20upload=20progress=20bar=20not=20visible?=
 =?UTF-8?q?=20=E2=80=94=20collectFileNames=20checks=20FilePond=20instances?=
 =?UTF-8?q?;=20remove=20admin=20auth=20from=20progress=20poll=20endpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 TODO.md                                      |  1 +
 app/public/admin/actions/upload-progress.php |  6 ++++--
 app/public/assets/js/upload-progress.js      | 16 ++++++++++++++++
 app/templates/admin/acces.php                | 13 +++++++++++++
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/TODO.md b/TODO.md
index 819eb05..e6474b4 100644
--- a/TODO.md
+++ b/TODO.md
@@ -40,6 +40,7 @@
 - [x] **Nginx rate limiting too aggressive** — increased admin zone to 300r/m, burst=30 to handle ~11 concurrent HTMX fragment requests on contenus.php page load
 - [x] **Migration idempotency** — `CREATE INDEX` / `CREATE TRIGGER` / `CREATE VIEW` now use `IF NOT EXISTS` in schema.sql and generate-schema.py; migrate.sh no longer fails on re-run
 - [ ] **Database readonly** — intermittent permission issue after deploy (added deploy-nginx recipe; permissions should be fixed by --chown + deploy-server.sh)
+- [x] **Upload progress bar not visible** — `collectFileNames()` now also checks FilePond instances directly (not just `input.files`); `upload-progress.php` no longer requires admin auth (blocked partage form polling)
 
 ## PeerTube Alternate Labels & FilePond Pools
 
diff --git a/app/public/admin/actions/upload-progress.php b/app/public/admin/actions/upload-progress.php
index 53c8912..b7e6c2d 100644
--- a/app/public/admin/actions/upload-progress.php
+++ b/app/public/admin/actions/upload-progress.php
@@ -15,8 +15,10 @@
  */
 
 require_once __DIR__ . '/../../../bootstrap.php';
-require_once __DIR__ . '/../../../src/AdminAuth.php';
-AdminAuth::requireLogin();
+// No AdminAuth check here — this endpoint is called by client-side JS during
+// both admin and partage (student) form uploads.  Access is guarded by the
+// progress token (64 bits of entropy, fresh per form render) which must match
+// a temp file that only exists during an active upload.
 
 header('Content-Type: application/json');
 
diff --git a/app/public/assets/js/upload-progress.js b/app/public/assets/js/upload-progress.js
index 660acb0..fc70dd9 100644
--- a/app/public/assets/js/upload-progress.js
+++ b/app/public/assets/js/upload-progress.js
@@ -33,6 +33,7 @@
 
         function collectFileNames() {
             const names = [];
+            // Check raw <input type="file"> elements (non-FilePond or FilePond-managed with storeAsFile)
             const inputs = form.querySelectorAll('input[type="file"]');
             for (const fi of inputs) {
                 if (fi.files) {
@@ -41,6 +42,21 @@
                     }
                 }
             }
+            // Also check FilePond instances directly (their storeAsFile hidden inputs may not
+            // have .files populated yet when the submit event fires)
+            if (typeof FilePond !== 'undefined') {
+                const pondInputs = form.querySelectorAll('.tfe-file-picker');
+                for (const pi of pondInputs) {
+                    const pond = FilePond.find(pi);
+                    if (pond) {
+                        const pondFiles = pond.getFiles();
+                        for (const pf of pondFiles) {
+                            const name = pf.filename || (pf.file && pf.file.name);
+                            if (name) names.push(name);
+                        }
+                    }
+                }
+            }
             return names;
         }
 
diff --git a/app/templates/admin/acces.php b/app/templates/admin/acces.php
index 9e7bda6..822195a 100644
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -1403,6 +1403,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: vpmpppym dde7c80e "add upload-progress.js to partage form (progress bar was missing on public submissions)" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
+++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: vpmpppym dde7c80e "add upload-progress.js to partage form (progress bar was missing on public submissions)" (rebased revision)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
+-                        $linkName = $link['name'] ?? '';
+-                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
+\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: tqymlyml 7c47641d "fix: upload progress bar not visible — collectFileNames checks FilePond instances; remove admin auth from progress poll endpoint" (rebased revision)
+                         $linkName = $link['name'] ?? '';
+                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
+                         $linkLockedYear = $link['locked_year'] ?? null;
++%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
++\\\\\\\        to: tqymlyml 4edc02cb "fix: upload progress bar not visible — collectFileNames checks FilePond instances; remove admin auth from progress poll endpoint" (rebased revision)
+++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                     ?>
                     <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">