PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Browse Source 
Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())
This commit is contained in:
Pontoporeia
2026-06-11 13:05:37 +02:00
parent 00fed5f0e3
commit d588ae004d
81 changed files with 1061 additions and 840 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
app/public/admin/actions/acces-etudiante.php
View File

@@ -7,8 +7,6 @@ require_once __DIR__ . '/../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../src/ShareLink.php';
require_once __DIR__ . '/../../../src/AdminLogger.php';
error_log('[acces-etudiante.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
App::adminGuard();
if ($_SERVER['REQUEST_METHOD'] !== 'POST'
@@ -90,6 +88,15 @@ switch ($action) {
}
break;
case 'delete':
if ($id > 0) {
$shareLink->delete($id);
App::redirect('/admin/acces.php', success: 'Lien supprimé définitivement.');
} else {
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
}
break;
case 'update':
if ($id > 0) {
$name = isset($_POST['name']) ? trim($_POST['name']) : null;

1
app/public/admin/actions/access-request.php
View File

@@ -6,7 +6,6 @@
*/
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[access-request.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | request_id=' . ($_POST['request_id'] ?? 0) . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])

2
app/public/admin/actions/account.php
View File

@@ -11,8 +11,6 @@ require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../src/Database.php';
error_log('[account.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'change_password') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
// ── CSRF ──────────────────────────────────────────────────────────────────────

1
app/public/admin/actions/apropos.php
View File

@@ -8,7 +8,6 @@
*/
require_once __DIR__ . "/../../../bootstrap.php";
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[apropos.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | key=' . ($_POST['apropos_key'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
$isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))

2
app/public/admin/actions/corbeille.php
View File

@@ -1,8 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[corbeille.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none'));
AdminAuth::requireLogin();
if ($_SERVER['REQUEST_METHOD'] !== 'POST'

2
app/public/admin/actions/delete.php
View File

@@ -1,8 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[delete.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
require_once __DIR__ . '/../../../src/Database.php';

93
app/public/admin/actions/draft.php Normal file
View File

@@ -0,0 +1,93 @@
<?php
/**
* Admin autosave draft endpoint.
*
* POST — receive all form fields and persist them to the session draft store.
*
* Drafts are scoped per mode:
* - add: keyed by a generated token (stored in form)
* - edit: keyed by thesis_id
*
* Excluded field patterns (not persisted as drafts):
* - csrf_token
* - FilePond metadata (filepond_mode, queue_file, filepond_*)
* - Files-related fields
* - Empty values
*/
require_once __DIR__ . '/../../../bootstrap.php';
require_once APP_ROOT . '/src/AdminAuth.php';
AdminAuth::requireLogin();
$method = $_SERVER['REQUEST_METHOD'];
// ── CSRF check ──────────────────────────────────────────────────────────
if ($method !== 'POST') {
http_response_code(405);
header('Content-Type: application/json');
echo json_encode(['error' => 'Méthode non autorisée.']);
exit;
}
if (
!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
|| !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])
) {
http_response_code(403);
header('Content-Type: application/json');
echo json_encode(['error' => 'Token de sécurité invalide.']);
exit;
}
// ── Determine draft key ─────────────────────────────────────────────────
$draftToken = $_POST['draft_token'] ?? '';
$thesisId = (int)($_POST['thesis_id'] ?? 0);
if ($draftToken !== '' && preg_match('/^[a-f0-9]{16}$/', $draftToken)) {
$draftKey = 'admin_draft_' . $draftToken;
} elseif ($thesisId > 0) {
$draftKey = 'admin_draft_edit_' . $thesisId;
} else {
http_response_code(400);
header('Content-Type: application/json');
echo json_encode(['error' => 'Paramètres invalides.']);
exit;
}
// ── Save all form fields ────────────────────────────────────────────────
$excludePrefixes = [
'csrf_token', 'share_link_token',
'filepond_mode', 'queue_file', 'filepond_',
];
$excludeExact = ['draft_token', 'thesis_id', 'slug',
'couverture', 'note_intention', 'files', 'annexes',
'peertube_video', 'peertube_audio', 'cover_remove',
'go', 'MAX_FILE_SIZE'];
$draft = [];
foreach ($_POST as $key => $value) {
if (in_array($key, $excludeExact, true)) continue;
$skip = false;
foreach ($excludePrefixes as $prefix) {
if (str_starts_with($key, $prefix)) { $skip = true; break; }
}
if ($skip) continue;
if ($value === '' || $value === null || (is_array($value) && count($value) === 0)) {
continue;
}
$draft[$key] = $value;
}
$_SESSION[$draftKey] = $draft;
// Rotate CSRF after mutation
$newToken = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $newToken;
header('Content-Type: application/json');
echo json_encode([
'success' => true,
'csrf_token' => $newToken,
]);
exit;

6
app/public/admin/actions/edit.php
View File

@@ -3,8 +3,6 @@
require_once __DIR__ . "/../../../bootstrap.php";
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[edit.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | content_type=' . ($_SERVER['CONTENT_TYPE'] ?? 'none') . ' | content_length=' . ($_SERVER['CONTENT_LENGTH'] ?? '0') . ' | post_keys=' . implode(',', array_keys($_POST)) . ' | files_count=' . count($_FILES) . ' | files_keys=' . implode(',', array_keys($_FILES)) . ' | queue_tfe=' . (isset($_FILES['queue_file']['name']['tfe']) ? count(array_filter($_FILES['queue_file']['name']['tfe'])) : 0));
// PHP-level auth guard (defence-in-depth behind nginx Basic Auth)
AdminAuth::requireLogin();
@@ -37,6 +35,10 @@ try {
// Regenerate CSRF token after successful save
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// Clear autosave draft + FilePond temp files
unset($_SESSION['admin_draft_edit_' . $thesisId]);
unset($_SESSION['filepond_tmp']);
AdminLogger::make()->logEdit($thesisId, $_POST['titre'] ?? $_POST['title'] ?? '');
App::flash('success', "TFE mis à jour avec succès!");

1
app/public/admin/actions/filepond/relink.php
View File

@@ -24,7 +24,6 @@ function relinkError(int $code, string $message): never {
// CSRF via header
$csrfHeader = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
error_log('[relink] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | csrf=' . (isset($_SESSION['csrf_token']) ? 'set' : 'missing') . ' | header=' . (strlen($csrfHeader) > 0 ? substr($csrfHeader, 0, 8) . '...' : 'empty') . ' | body_len=' . strlen(file_get_contents('php://input')));
if (!isset($_SESSION['csrf_token'])
|| !hash_equals($_SESSION['csrf_token'], $csrfHeader)) {
relinkError(403, 'Token CSRF invalide.');

1
app/public/admin/actions/form-help.php
View File

@@ -6,7 +6,6 @@
*/
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[form-help.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | key=' . ($_POST['form_help_key'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
$isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))

8
app/public/admin/actions/formulaire.php
View File

@@ -3,8 +3,6 @@
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[formulaire.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | content_type=' . ($_SERVER['CONTENT_TYPE'] ?? 'none') . ' | content_length=' . ($_SERVER['CONTENT_LENGTH'] ?? '0') . ' | post_keys=' . implode(',', array_keys($_POST)) . ' | files_count=' . count($_FILES) . ' | files_keys=' . implode(',', array_keys($_FILES)) . ' | queue_tfe=' . (isset($_FILES['queue_file']['name']['tfe']) ? count(array_filter($_FILES['queue_file']['name']['tfe'])) : 0));
// Only suppress display_errors in production (cli-server = dev mode).
if (php_sapi_name() !== 'cli-server') {
ini_set('display_errors', 0);
@@ -25,8 +23,6 @@ if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
die('Erreur de sécurité : token invalide. Veuillez recharger le formulaire.');
}
error_log('[formulaire.php] full FILES array: ' . print_r($_FILES, true));
require_once APP_ROOT . '/src/Controllers/ThesisCreateController.php';
require_once APP_ROOT . '/src/AppLogger.php';
require_once APP_ROOT . '/src/AdminLogger.php';
@@ -45,6 +41,10 @@ try {
$logger->logSubmission('admin', $thesisId, $identifier, $authorName);
$adminLogger->logAdd($thesisId, $identifier, $authorName);
// Clear autosave draft + FilePond temp files
unset($_SESSION['admin_draft_' . ($_POST['draft_token'] ?? '')]);
unset($_SESSION['admin_draft_add_token']);
unset($_SESSION['filepond_tmp']);
unset($_SESSION['csrf_token']);
$redirect = '../recapitulatif.php?id=' . $thesisId;

1
app/public/admin/actions/language.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[language.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if ($_SERVER['REQUEST_METHOD'] !== 'POST'

1
app/public/admin/actions/maintenance.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[maintenance.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if ($_SERVER['REQUEST_METHOD'] !== 'POST'

1
app/public/admin/actions/page.php
View File

@@ -5,7 +5,6 @@
*/
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[page.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | slug=' . ($_POST['slug'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
$isAjax = (!empty($_SERVER['HTTP_ACCEPT']) && str_contains($_SERVER['HTTP_ACCEPT'], 'application/json'))

2
app/public/admin/actions/publish.php
View File

@@ -1,8 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[publish.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
require_once __DIR__ . '/../../../src/Database.php';

11
app/public/admin/actions/settings.php
View File

@@ -1,12 +1,10 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[settings.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | section=' . ($_POST['section'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
|| !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
error_log('[settings.php] CSRF FAIL | session_token=' . ($_SESSION['csrf_token'] ?? 'none') . ' | post_token=' . ($_POST['csrf_token'] ?? 'none'));
App::flash('error', "Erreur de sécurité : token invalide.");
header('Location: /admin/parametres.php');
exit;
@@ -21,7 +19,6 @@ $logger = AdminLogger::make();
$isHxRequest = (isset($_SERVER['HTTP_HX_REQUEST']) && $_SERVER['HTTP_HX_REQUEST'] === 'true');
$section = $_POST['section'] ?? '';
error_log('[settings.php] PROCESS | section=' . $section . ' | post_keys=' . implode(',', array_keys($_POST)));
/**
* Return an HTML toast fragment for HTMX responses and exit.
@@ -58,9 +55,7 @@ function hxToastError(string $message): never {
if ($section === 'formulaire_restrictions') {
// HTMX may not send unchecked checkboxes even with hidden 0-value inputs;
// missing key means unchecked → treat as '0'.
$rawPost = $_POST['restricted_files_enabled'] ?? '(missing)';
$newValue = empty($_POST['restricted_files_enabled']) ? '0' : '1';
error_log('[settings.php] SAVE formulaire_restrictions | restricted_files_enabled raw=' . var_export($rawPost, true) . ' | resolved=' . $newValue);
$db->setSetting('restricted_files_enabled', $newValue);
$logger->logFormSettingsUpdate(['restricted_files_enabled' => $newValue]);
if ($isHxRequest) {
@@ -76,9 +71,7 @@ if ($section === 'formulaire_restrictions') {
];
$newValues = [];
foreach ($allowed as $key) {
$raw = $_POST[$key] ?? '(missing)';
$value = empty($_POST[$key]) ? '0' : '1';
error_log('[settings.php] SAVE formulaire_acces | ' . $key . ' raw=' . var_export($raw, true) . ' | resolved=' . $value);
$db->setSetting($key, $value);
$newValues[$key] = $value;
}
@@ -89,14 +82,10 @@ if ($section === 'formulaire_restrictions') {
App::flash('success', "Degrés d'ouverture mis à jour.");
}
} elseif ($section === 'objet_types') {
$rawThese = $_POST['objet_these_enabled'] ?? '(missing)';
$rawFrart = $_POST['objet_frart_enabled'] ?? '(missing)';
$newValues = [
'objet_these_enabled' => empty($_POST['objet_these_enabled']) ? '0' : '1',
'objet_frart_enabled' => empty($_POST['objet_frart_enabled']) ? '0' : '1',
];
error_log('[settings.php] SAVE objet_types | objet_these_enabled raw=' . var_export($rawThese, true) . ' | resolved=' . $newValues['objet_these_enabled']);
error_log('[settings.php] SAVE objet_types | objet_frart_enabled raw=' . var_export($rawFrart, true) . ' | resolved=' . $newValues['objet_frart_enabled']);
$db->setSetting('objet_these_enabled', $newValues['objet_these_enabled']);
$db->setSetting('objet_frart_enabled', $newValues['objet_frart_enabled']);
$logger->logObjetTypesUpdate($newValues);

1
app/public/admin/actions/smtp-test.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . "/../../../bootstrap.php";
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[smtp-test.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | test_email=' . ($_POST['test_email'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
require_once APP_ROOT . '/src/Database.php';

1
app/public/admin/actions/tag.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[tag.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if ($_SERVER['REQUEST_METHOD'] !== 'POST'

1
app/public/admin/actions/visibility.php
View File

@@ -1,7 +1,6 @@
<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
error_log('[visibility.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | is_bulk=' . (!empty($_POST['bulk']) ? '1' : '0') . ' | post_keys=' . implode(',', array_keys($_POST)));
AdminAuth::requireLogin();
if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])