Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())
2026-06-25 08:09:18 +02:00 · 2026-06-11 13:05:37 +02:00
parent 00fed5f0e3
commit d588ae004d
81 changed files with 1061 additions and 840 deletions
--- a/app/public/admin/actions/draft.php
+++ b/app/public/admin/actions/draft.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * Admin autosave draft endpoint.
+ *
+ * POST — receive all form fields and persist them to the session draft store.
+ *
+ * Drafts are scoped per mode:
+ *   - add: keyed by a generated token (stored in form)
+ *   - edit: keyed by thesis_id
+ *
+ * Excluded field patterns (not persisted as drafts):
+ *   - csrf_token
+ *   - FilePond metadata (filepond_mode, queue_file, filepond_*)
+ *   - Files-related fields
+ *   - Empty values
+ */
+require_once __DIR__ . '/../../../bootstrap.php';
+require_once APP_ROOT . '/src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+$method = $_SERVER['REQUEST_METHOD'];
+
+// ── CSRF check ──────────────────────────────────────────────────────────
+if ($method !== 'POST') {
+    http_response_code(405);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Méthode non autorisée.']);
+    exit;
+}
+
+if (
+    !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])
+) {
+    http_response_code(403);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Token de sécurité invalide.']);
+    exit;
+}
+
+// ── Determine draft key ─────────────────────────────────────────────────
+$draftToken = $_POST['draft_token'] ?? '';
+$thesisId   = (int)($_POST['thesis_id'] ?? 0);
+
+if ($draftToken !== '' && preg_match('/^[a-f0-9]{16}$/', $draftToken)) {
+    $draftKey = 'admin_draft_' . $draftToken;
+} elseif ($thesisId > 0) {
+    $draftKey = 'admin_draft_edit_' . $thesisId;
+} else {
+    http_response_code(400);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Paramètres invalides.']);
+    exit;
+}
+
+// ── Save all form fields ────────────────────────────────────────────────
+$excludePrefixes = [
+    'csrf_token', 'share_link_token',
+    'filepond_mode', 'queue_file', 'filepond_',
+];
+$excludeExact = ['draft_token', 'thesis_id', 'slug',
+    'couverture', 'note_intention', 'files', 'annexes',
+    'peertube_video', 'peertube_audio', 'cover_remove',
+    'go', 'MAX_FILE_SIZE'];
+
+$draft = [];
+foreach ($_POST as $key => $value) {
+    if (in_array($key, $excludeExact, true)) continue;
+    $skip = false;
+    foreach ($excludePrefixes as $prefix) {
+        if (str_starts_with($key, $prefix)) { $skip = true; break; }
+    }
+    if ($skip) continue;
+
+    if ($value === '' || $value === null || (is_array($value) && count($value) === 0)) {
+        continue;
+    }
+
+    $draft[$key] = $value;
+}
+
+$_SESSION[$draftKey] = $draft;
+
+// Rotate CSRF after mutation
+$newToken = bin2hex(random_bytes(32));
+$_SESSION['csrf_token'] = $newToken;
+
+header('Content-Type: application/json');
+echo json_encode([
+    'success'    => true,
+    'csrf_token' => $newToken,
+]);
+exit;