Reintroduce TFE duration metadata: DB columns, form fields, controllers, views, and migration

Add 'unsafe-eval' to CSP script-src directives (htmx requires Function())

app/public/partage/index.php

@@ -277,7 +277,11 @@ function renderShareLinkForm(string $slug, array $link): void
     // Filter out PACS from AP programs for student forms (spec: admin-only AP)
     $apPrograms = array_values(array_filter($apPrograms, fn($ap) => ($ap['code'] ?? '') !== 'PACS'));
 
-    $formData = $_SESSION['form_data_share_' . $slug] ?? [];
+    // Hydrate form data from session draft (autosave). Flash repopulation
+    // (from validation redirects) takes priority over stale draft entries.
+    $draftKey  = 'partage_draft_' . $slug;
+    $draftData = $_SESSION[$draftKey] ?? [];
+    $formData  = array_merge($draftData, $_SESSION['form_data_share_' . $slug] ?? []);
     unset($_SESSION['form_data_share_' . $slug]);
 
     // Determine allowed objet values for this link
@@ -324,7 +328,8 @@ function renderShareLinkForm(string $slug, array $link): void
     // ── Shared form variables ──────────────────────────────────────────────
     $mode         = 'partage';
     $formAction   = '/partage/' . urlencode($slug) . '/submit';
-    $hiddenFields = '<input type="hidden" name="share_link_token" value="' . htmlspecialchars($shareCsrfToken) . '">';
+    $hiddenFields = '<input type="hidden" name="csrf_token" value="' . htmlspecialchars($csrfToken) . '">'
+        . '<input type="hidden" name="share_link_token" value="' . htmlspecialchars($shareCsrfToken) . '">';
 
     $oldFn           = $shareOldFn;
     $withAutofocusFn = $shareWithAutofocusFn;
@@ -399,6 +404,11 @@ function renderShareLinkForm(string $slug, array $link): void
     $currentContextNote       = null;
     $currentContactVisible    = null;
 
+    // ── Autosave wiring ─────────────────────────────────────────────────┐
+    $autosaveUrl = '/partage/fragments/draft.php?slug=' . urlencode($slug);
+    $formExtraAttrs = '';
+    $showAutosaveStatus = true;
+
     include APP_ROOT . '/templates/partage/form-page.php';
     ?>
         <main id="main-content">
@@ -537,6 +547,8 @@ function handleShareLinkSubmission(string $slug): void
         unset($_SESSION['share_verified_' . $slug]);
         unset($_SESSION['share_active']);
         unset($_SESSION['share_primed_files_' . $slug]);
+        // Clear autosave draft — submission succeeded
+        unset($_SESSION['partage_draft_' . $slug]);
         // Clear FilePond temp file tracking — files have been moved to permanent storage
         unset($_SESSION['filepond_tmp']);
 

app/public/partage/recapitulatif.php

@@ -18,7 +18,8 @@ if ($thesisId <= 0) {
 }
 
 $db     = Database::getInstance();
-$thesis = $db->getThesis($thesisId);
+// Only published theses are visible via public recap (no slug-auth here).
+$thesis = $db->getThesisById($thesisId);
 if (!$thesis) {
     http_response_code(404);
     die('TFE introuvable.');