Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())
2026-06-25 16:19:19 +02:00 · 2026-06-11 13:05:37 +02:00
parent 00fed5f0e3
commit d588ae004d
81 changed files with 1061 additions and 840 deletions
--- a/app/public/admin/actions/acces-etudiante.php
+++ b/app/public/admin/actions/acces-etudiante.php
@@ -7,8 +7,6 @@ require_once __DIR__ . '/../../../src/AdminAuth.php';
 require_once __DIR__ . '/../../../src/ShareLink.php';
 require_once __DIR__ . '/../../../src/AdminLogger.php';

-error_log('[acces-etudiante.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
-
 App::adminGuard();

 if ($_SERVER['REQUEST_METHOD'] !== 'POST'
@@ -90,6 +88,15 @@ switch ($action) {
        }
        break;

+    case 'delete':
+        if ($id > 0) {
+            $shareLink->delete($id);
+            App::redirect('/admin/acces.php', success: 'Lien supprimé définitivement.');
+        } else {
+            App::redirect('/admin/acces.php', error: 'Lien introuvable.');
+        }
+        break;
+
    case 'update':
        if ($id > 0) {
            $name       = isset($_POST['name']) ? trim($_POST['name']) : null;
--- a/app/public/admin/actions/access-request.php
+++ b/app/public/admin/actions/access-request.php
@@ -6,7 +6,6 @@
 */
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[access-request.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | request_id=' . ($_POST['request_id'] ?? 0) . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
--- a/app/public/admin/actions/account.php
+++ b/app/public/admin/actions/account.php
@@ -11,8 +11,6 @@ require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
 require_once __DIR__ . '/../../../src/Database.php';

-error_log('[account.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'change_password') . ' | post_keys=' . implode(',', array_keys($_POST)));
-
 AdminAuth::requireLogin();

 // ── CSRF ──────────────────────────────────────────────────────────────────────
--- a/app/public/admin/actions/apropos.php
+++ b/app/public/admin/actions/apropos.php
@@ -8,7 +8,6 @@
 */
 require_once __DIR__ . "/../../../bootstrap.php";
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[apropos.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | key=' . ($_POST['apropos_key'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 $isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))
--- a/app/public/admin/actions/corbeille.php
+++ b/app/public/admin/actions/corbeille.php
@@ -1,8 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[corbeille.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none'));
-
 AdminAuth::requireLogin();

 if ($_SERVER['REQUEST_METHOD'] !== 'POST'
--- a/app/public/admin/actions/delete.php
+++ b/app/public/admin/actions/delete.php
@@ -1,8 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[delete.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
-
 AdminAuth::requireLogin();

 require_once __DIR__ . '/../../../src/Database.php';
--- a/app/public/admin/actions/draft.php
+++ b/app/public/admin/actions/draft.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * Admin autosave draft endpoint.
+ *
+ * POST — receive all form fields and persist them to the session draft store.
+ *
+ * Drafts are scoped per mode:
+ *   - add: keyed by a generated token (stored in form)
+ *   - edit: keyed by thesis_id
+ *
+ * Excluded field patterns (not persisted as drafts):
+ *   - csrf_token
+ *   - FilePond metadata (filepond_mode, queue_file, filepond_*)
+ *   - Files-related fields
+ *   - Empty values
+ */
+require_once __DIR__ . '/../../../bootstrap.php';
+require_once APP_ROOT . '/src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+$method = $_SERVER['REQUEST_METHOD'];
+
+// ── CSRF check ──────────────────────────────────────────────────────────
+if ($method !== 'POST') {
+    http_response_code(405);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Méthode non autorisée.']);
+    exit;
+}
+
+if (
+    !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])
+) {
+    http_response_code(403);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Token de sécurité invalide.']);
+    exit;
+}
+
+// ── Determine draft key ─────────────────────────────────────────────────
+$draftToken = $_POST['draft_token'] ?? '';
+$thesisId   = (int)($_POST['thesis_id'] ?? 0);
+
+if ($draftToken !== '' && preg_match('/^[a-f0-9]{16}$/', $draftToken)) {
+    $draftKey = 'admin_draft_' . $draftToken;
+} elseif ($thesisId > 0) {
+    $draftKey = 'admin_draft_edit_' . $thesisId;
+} else {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Paramètres invalides.']);
+    exit;
+}
+
+// ── Save all form fields ────────────────────────────────────────────────
+$excludePrefixes = [
+    'csrf_token', 'share_link_token',
+    'filepond_mode', 'queue_file', 'filepond_',
+];
+$excludeExact = ['draft_token', 'thesis_id', 'slug',
+    'couverture', 'note_intention', 'files', 'annexes',
+    'peertube_video', 'peertube_audio', 'cover_remove',
+    'go', 'MAX_FILE_SIZE'];
+
+$draft = [];
+foreach ($_POST as $key => $value) {
+    if (in_array($key, $excludeExact, true)) continue;
+    $skip = false;
+    foreach ($excludePrefixes as $prefix) {
+        if (str_starts_with($key, $prefix)) { $skip = true; break; }
+    }
+    if ($skip) continue;
+
+    if ($value === '' || $value === null || (is_array($value) && count($value) === 0)) {
+        continue;
+    }
+
+    $draft[$key] = $value;
+}
+
+$_SESSION[$draftKey] = $draft;
+
+// Rotate CSRF after mutation
+$newToken = bin2hex(random_bytes(32));
+$_SESSION['csrf_token'] = $newToken;
+
+header('Content-Type: application/json');
+echo json_encode([
+    'success'    => true,
+    'csrf_token' => $newToken,
+]);
+exit;
--- a/app/public/admin/actions/edit.php
+++ b/app/public/admin/actions/edit.php
@@ -3,8 +3,6 @@
 require_once __DIR__ . "/../../../bootstrap.php";
 require_once __DIR__ . '/../../../src/AdminAuth.php';

-error_log('[edit.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | content_type=' . ($_SERVER['CONTENT_TYPE'] ?? 'none') . ' | content_length=' . ($_SERVER['CONTENT_LENGTH'] ?? '0') . ' | post_keys=' . implode(',', array_keys($_POST)) . ' | files_count=' . count($_FILES) . ' | files_keys=' . implode(',', array_keys($_FILES)) . ' | queue_tfe=' . (isset($_FILES['queue_file']['name']['tfe']) ? count(array_filter($_FILES['queue_file']['name']['tfe'])) : 0));
-
 // PHP-level auth guard (defence-in-depth behind nginx Basic Auth)
 AdminAuth::requireLogin();

@@ -37,6 +35,10 @@ try {
    // Regenerate CSRF token after successful save
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));

+    // Clear autosave draft + FilePond temp files
+    unset($_SESSION['admin_draft_edit_' . $thesisId]);
+    unset($_SESSION['filepond_tmp']);
+
    AdminLogger::make()->logEdit($thesisId, $_POST['titre'] ?? $_POST['title'] ?? '');

    App::flash('success', "TFE mis à jour avec succès!");
--- a/app/public/admin/actions/filepond/relink.php
+++ b/app/public/admin/actions/filepond/relink.php
@@ -24,7 +24,6 @@ function relinkError(int $code, string $message): never {

 // CSRF via header
 $csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
-error_log('[relink] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | csrf=' . (isset($_SESSION['csrf_token']) ? 'set' : 'missing') . ' | header=' . (strlen($csrfHeader) > 0 ? substr($csrfHeader, 0, 8) . '...' : 'empty') . ' | body_len=' . strlen(file_get_contents('php://input')));
 if (!isset($_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
    relinkError(403, 'Token CSRF invalide.');
--- a/app/public/admin/actions/form-help.php
+++ b/app/public/admin/actions/form-help.php
@@ -6,7 +6,6 @@
 */
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[form-help.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | key=' . ($_POST['form_help_key'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 $isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))
--- a/app/public/admin/actions/formulaire.php
+++ b/app/public/admin/actions/formulaire.php
@@ -3,8 +3,6 @@
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';

-error_log('[formulaire.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | content_type=' . ($_SERVER['CONTENT_TYPE'] ?? 'none') . ' | content_length=' . ($_SERVER['CONTENT_LENGTH'] ?? '0') . ' | post_keys=' . implode(',', array_keys($_POST)) . ' | files_count=' . count($_FILES) . ' | files_keys=' . implode(',', array_keys($_FILES)) . ' | queue_tfe=' . (isset($_FILES['queue_file']['name']['tfe']) ? count(array_filter($_FILES['queue_file']['name']['tfe'])) : 0));
-
 // Only suppress display_errors in production (cli-server = dev mode).
 if (php_sapi_name() !== 'cli-server') {
    ini_set('display_errors', 0);
@@ -25,8 +23,6 @@ if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    die('Erreur de sécurité : token invalide. Veuillez recharger le formulaire.');
 }

-error_log('[formulaire.php] full FILES array: ' . print_r($_FILES, true));
-
 require_once APP_ROOT . '/src/Controllers/ThesisCreateController.php';
 require_once APP_ROOT . '/src/AppLogger.php';
 require_once APP_ROOT . '/src/AdminLogger.php';
@@ -45,6 +41,10 @@ try {
    $logger->logSubmission('admin', $thesisId, $identifier, $authorName);
    $adminLogger->logAdd($thesisId, $identifier, $authorName);

+    // Clear autosave draft + FilePond temp files
+    unset($_SESSION['admin_draft_' . ($_POST['draft_token'] ?? '')]);
+    unset($_SESSION['admin_draft_add_token']);
+    unset($_SESSION['filepond_tmp']);
    unset($_SESSION['csrf_token']);

    $redirect = '../recapitulatif.php?id=' . $thesisId;
--- a/app/public/admin/actions/language.php
+++ b/app/public/admin/actions/language.php
@@ -1,7 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[language.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if ($_SERVER['REQUEST_METHOD'] !== 'POST'
--- a/app/public/admin/actions/maintenance.php
+++ b/app/public/admin/actions/maintenance.php
@@ -1,7 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[maintenance.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if ($_SERVER['REQUEST_METHOD'] !== 'POST'
--- a/app/public/admin/actions/page.php
+++ b/app/public/admin/actions/page.php
@@ -5,7 +5,6 @@
 */
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[page.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | slug=' . ($_POST['slug'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 $isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))
--- a/app/public/admin/actions/publish.php
+++ b/app/public/admin/actions/publish.php
@@ -1,8 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[publish.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
-
 AdminAuth::requireLogin();

 require_once __DIR__ . '/../../../src/Database.php';
--- a/app/public/admin/actions/settings.php
+++ b/app/public/admin/actions/settings.php
@@ -1,12 +1,10 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[settings.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | section=' . ($_POST['section'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
-    error_log('[settings.php] CSRF FAIL | session_token=' . ($_SESSION['csrf_token'] ?? 'none') . ' | post_token=' . ($_POST['csrf_token'] ?? 'none'));
    App::flash('error', "Erreur de sécurité : token invalide.");
    header('Location: /admin/parametres.php');
    exit;
@@ -21,7 +19,6 @@ $logger = AdminLogger::make();

 $isHxRequest = (isset($_SERVER['HTTP_HX_REQUEST']) && $_SERVER['HTTP_HX_REQUEST'] === 'true');
 $section = $_POST['section'] ?? '';
-error_log('[settings.php] PROCESS | section=' . $section . ' | post_keys=' . implode(',', array_keys($_POST)));

 /**
 * Return an HTML toast fragment for HTMX responses and exit.
@@ -58,9 +55,7 @@ function hxToastError(string $message): never {
 if ($section === 'formulaire_restrictions') {
    // HTMX may not send unchecked checkboxes even with hidden 0-value inputs;
    // missing key means unchecked → treat as '0'.
-    $rawPost = $_POST['restricted_files_enabled'] ?? '(missing)';
    $newValue = empty($_POST['restricted_files_enabled']) ? '0' : '1';
-    error_log('[settings.php] SAVE formulaire_restrictions | restricted_files_enabled raw=' . var_export($rawPost, true) . ' | resolved=' . $newValue);
    $db->setSetting('restricted_files_enabled', $newValue);
    $logger->logFormSettingsUpdate(['restricted_files_enabled' => $newValue]);
    if ($isHxRequest) {
@@ -76,9 +71,7 @@ if ($section === 'formulaire_restrictions') {
    ];
    $newValues = [];
    foreach ($allowed as $key) {
-        $raw = $_POST[$key] ?? '(missing)';
        $value = empty($_POST[$key]) ? '0' : '1';
-        error_log('[settings.php] SAVE formulaire_acces | ' . $key . ' raw=' . var_export($raw, true) . ' | resolved=' . $value);
        $db->setSetting($key, $value);
        $newValues[$key] = $value;
    }
@@ -89,14 +82,10 @@ if ($section === 'formulaire_restrictions') {
        App::flash('success', "Degrés d'ouverture mis à jour.");
    }
 } elseif ($section === 'objet_types') {
-    $rawThese = $_POST['objet_these_enabled'] ?? '(missing)';
-    $rawFrart = $_POST['objet_frart_enabled'] ?? '(missing)';
    $newValues = [
        'objet_these_enabled' => empty($_POST['objet_these_enabled']) ? '0' : '1',
        'objet_frart_enabled' => empty($_POST['objet_frart_enabled']) ? '0' : '1',
    ];
-    error_log('[settings.php] SAVE objet_types | objet_these_enabled raw=' . var_export($rawThese, true) . ' | resolved=' . $newValues['objet_these_enabled']);
-    error_log('[settings.php] SAVE objet_types | objet_frart_enabled raw=' . var_export($rawFrart, true) . ' | resolved=' . $newValues['objet_frart_enabled']);
    $db->setSetting('objet_these_enabled', $newValues['objet_these_enabled']);
    $db->setSetting('objet_frart_enabled', $newValues['objet_frart_enabled']);
    $logger->logObjetTypesUpdate($newValues);
--- a/app/public/admin/actions/smtp-test.php
+++ b/app/public/admin/actions/smtp-test.php
@@ -1,7 +1,6 @@
 <?php
 require_once __DIR__ . "/../../../bootstrap.php";
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[smtp-test.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | test_email=' . ($_POST['test_email'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 require_once APP_ROOT . '/src/Database.php';
--- a/app/public/admin/actions/tag.php
+++ b/app/public/admin/actions/tag.php
@@ -1,7 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[tag.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if ($_SERVER['REQUEST_METHOD'] !== 'POST'
--- a/app/public/admin/actions/visibility.php
+++ b/app/public/admin/actions/visibility.php
@@ -1,7 +1,6 @@
 <?php
 require_once __DIR__ . '/../../../bootstrap.php';
 require_once __DIR__ . '/../../../src/AdminAuth.php';
-error_log('[visibility.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
 AdminAuth::requireLogin();

 if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
--- a/app/public/admin/contenus-edit.php
+++ b/app/public/admin/contenus-edit.php
@@ -83,35 +83,33 @@ $extraJsInline = '';

 if ($editType === 'page' || $editType === 'about_page') {
    $initialContent = $page["content"] ?? "";
-    $extraJs = ["/assets/js/vendor/overtype.min.js", "/assets/js/app/autosave-handler.js"];
+    $extraJs = ["/assets/js/vendor/overtype.min.js"];
    $extraJsInline = <<<'JS'
 var OT = window.OverType.default || window.OverType;
 var hidden = document.getElementById('content');
 var editor = new OT(document.getElementById('editor'), {
    value: hidden.value,
-    minHeight: '400px',
+    minHeight: '100%',
    spellcheck: false,
    toolbar: true,
    onChange: function(value) {
        hidden.value = value;
-        hidden.dispatchEvent(new CustomEvent('overtype:change', { bubbles: true }));
    }
 });
 JS;
 } elseif ($editType === 'form_help') {
    $initialContent = $formHelpContent;
-    $extraJs = ["/assets/js/vendor/overtype.min.js", "/assets/js/app/autosave-handler.js"];
+    $extraJs = ["/assets/js/vendor/overtype.min.js"];
    $extraJsInline = <<<'JS'
 var OT = window.OverType.default || window.OverType;
 var hidden = document.getElementById('content');
 var editor = new OT(document.getElementById('editor'), {
    value: hidden.value,
-    minHeight: '400px',
+    minHeight: '100%',
    spellcheck: false,
    toolbar: true,
    onChange: function(value) {
        hidden.value = value;
-        hidden.dispatchEvent(new CustomEvent('overtype:change', { bubbles: true }));
    }
 });
 JS;
--- a/app/public/admin/edit.php
+++ b/app/public/admin/edit.php
@@ -123,12 +123,12 @@ extract(FormBootstrap::adminFormVariables(
    mode:         'edit',
    formAction:   '/admin/actions/edit.php',
    hiddenFields:
-        '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($_SESSION['csrf_token']) . '">'
-        . '<input type="hidden" name="thesis_id" value="' . $thesisId . '">',
+        '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($_SESSION['csrf_token']) . '">',
    formData:     $formData,
    siteSettings: $siteSettings,
    helpBlocks:   $helpBlocks,
    options: [
+        'thesisId'              => $thesisId,
        'filesMode'             => 'edit',
        'existingWebsiteUrl'    => $existingWebsiteUrl,
        'existingWebsiteLabel'  => $existingWebsiteLabel,
@@ -144,6 +144,8 @@ extract(FormBootstrap::adminFormVariables(
        'currentFiles'          => $currentFiles ?? [],
        'currentContextNote'    => $currentContextNote ?? null,
        'currentContactVisible' => $currentContactVisible ?? null,
+        'currentDurationValue'  => $currentDurationValue ?? null,
+        'currentDurationUnit'   => $currentDurationUnit ?? 'pages',
        'contactInterne'        => $contactInterne ?? null,
        'contactPublic'         => $contactPublic ?? false,
        'showCoverPreview'      => true,
@@ -158,6 +160,10 @@ $formData['license_id']     = $currentLicenseId;
 $formData['license_custom'] = $currentRaw['license_custom'] ?? '';
 $formData['cc2r']           = $currentRaw['cc2r'] ?? false;

+// Duration variables for the form template
+$durationValue = $currentDurationValue ?? null;
+$durationUnit  = $currentDurationUnit ?? 'pages';
+
 // Asset arrays and page chrome
 $isAdmin        = true;
 $bodyClass      = 'admin-body';
--- a/app/public/admin/fragments/file-browser.php
+++ b/app/public/admin/fragments/file-browser.php
@@ -13,8 +13,6 @@ AdminAuth::requireLogin();

 $storageRoot = STORAGE_ROOT;

-error_log('[file-browser] ENTRY | dir=' . ($_GET['dir'] ?? '(root)') . ' | storageRoot=' . $storageRoot);
-
 // Determine which directory to browse
 $relDir = trim($_GET['dir'] ?? '', '/');
 if ($relDir !== '' && !preg_match('#^(tfe|these|frart|documents|theses)(/|$)#', $relDir)) {
--- a/app/public/admin/index.php
+++ b/app/public/admin/index.php
@@ -17,7 +17,6 @@ $importResults = [];
 $importDone    = false;

 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['csv_file'])) {
-    error_log('[admin/index.php] IMPORT ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | content_type=' . ($_SERVER['CONTENT_TYPE'] ?? 'none') . ' | csv_file_error=' . ($_FILES['csv_file']['error'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
    if (!isset($_POST['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
        $importErrors[] = "Erreur de sécurité : token invalide.";
    } else {
--- a/app/public/admin/login.php
+++ b/app/public/admin/login.php
@@ -2,8 +2,6 @@
 require_once __DIR__ . '/../../bootstrap.php';
 require_once __DIR__ . '/../../src/AdminAuth.php';

-error_log('[admin/login.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | is_auth=' . (AdminAuth::isAuthenticated() ? '1' : '0') . ' | has_password=' . (AdminAuth::hasPassword() ? '1' : '0'));
-
 if (!AdminAuth::hasPassword()) {
    header('Location: /admin/');
    exit;
@@ -24,8 +22,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 }

 $pageTitle = 'Connexion';
-$isAdmin = true; $bodyClass = 'admin-body';
+$isAdmin = true; $isLogin = true; $bodyClass = 'admin-body';
 require_once APP_ROOT . '/templates/head.php';
 include APP_ROOT . '/templates/header.php';
 include APP_ROOT . '/templates/admin/login.php';
-require_once APP_ROOT . '/templates/admin/footer.php';
+// Login page does not render the admin footer (no toast-region poll, no HTMX extras).
+// It closes <html> directly so there is no dangling HTMX polling the toast endpoint
+// while unauthenticated.
+echo "\n</body>\n</html>";
--- a/app/public/admin/recapitulatif.php
+++ b/app/public/admin/recapitulatif.php
@@ -24,7 +24,10 @@ if (isset($_GET['id'])) {
    if ($thesisId !== false && $thesisId > 0) {
        try {
            $db = new Database();
-            $thesis = $db->getThesis($thesisId);
+            // Student-mode preview: only show published theses.
+            $thesis = $studentMode
+                ? $db->getThesisById($thesisId)
+                : $db->getThesis($thesisId);

            if (!$thesis) {
                $error = "TFE non trouvé.";
--- a/app/public/admin/toast-fragment.php
+++ b/app/public/admin/toast-fragment.php
@@ -9,7 +9,13 @@
 require_once __DIR__ . '/../../bootstrap.php';
 require_once __DIR__ . '/../../src/AdminAuth.php';

-AdminAuth::requireLogin();
+// Don't redirect unauthenticated requests — just return empty (defense-in-depth).
+// The toast-region poll fires on <hx-trigger="load">; if the user is on the
+// login page they are not authenticated yet.
+if (!AdminAuth::isAuthenticated()) {
+    http_response_code(204);
+    exit;
+}

 $flash = App::consumeFlash();