fix: req annexes, add HTMX inline file validation (MIME/size)

- Annexes file input now required when 'has_annexes' checkbox is checked - PHP-side validation: if has_annexes but no files, throw error - HTMX inline file validation: POSTs to validate-file-fragment on file change - Validates MIME type against per-field whitelists (couverture, note_intention, tfe, annexes) - Validates file size with PDF-specific 100MB limit - Supports both single-file and multi-file inputs - Returns green ✓ or red ✕ inline validation messages - Shared validation logic in src/Controllers/validate-file-fragment-shared.php - Admin wrapper: admin/validate-file-fragment.php (with AdminAuth guard) - Partage route: /partage/validate-file-fragment (dispatched via index.php) - CSS: .file-validation-msg, .fv-ok (green), .fv-error (red) - file-field.php: accepts $fieldName for per-input validation type, auto-detects admin/partage validate URL
2026-06-25 16:19:19 +02:00 · 2026-05-10 15:55:35 +02:00
parent a1a5d4609f
commit e06a317499
10 changed files with 503 additions and 130 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -34,3 +34,8 @@
 - [x] Relax 3-keyword minimum: admin mode (create) requires 1+, edit requires 1+, student (partage) requires 3
 - [x] Add CSS for file preview items (.fp-item, .fp-thumb, .fp-icon, .fp-meta, .fp-name, .fp-size) so annexes/cover/note-intention previews wrap and display correctly
 - [x] Fix TFE file input accept attribute to include video/audio/archive extensions
 - [x] Make annexes file input required when "Ce TFE comporte des annexes" is checked
 - [x] Add PHP-side validation: if has_annexes checked but no annexe files provided, throw error
 - [x] Add HTMX inline file validation: MIME type + file size checked on change via validate-file-fragment endpoint
 - [x] Create shared validation logic (validate-file-fragment-shared.php) used by both admin and partage
 - [x] Add CSS for .file-validation-msg, .fv-ok, .fv-error inline validation messages
--- a/app/public/admin/validate-file-fragment.php
+++ b/app/public/admin/validate-file-fragment.php
@@ -0,0 +1,12 @@
 <?php
 /**
 * validate-file-fragment.php (admin)
 *
 * Admin-gated HTMX fragment: validates uploaded file MIME type and size.
 * Wraps the shared validation logic.
 */
 require_once __DIR__ . '/../../bootstrap.php';
 require_once __DIR__ . '/../../src/AdminAuth.php';
 AdminAuth::requireLogin();
 require_once APP_ROOT . '/src/Controllers/validate-file-fragment-shared.php';
--- a/app/public/assets/css/form.css
+++ b/app/public/assets/css/form.css
@@ -516,6 +516,22 @@
  color: var(--text-tertiary);
 }
 /* ── Inline file validation messages (HTMX) ──────────────────────────────── */
 .file-validation-msg {
  margin-top: var(--space-3xs);
  font-size: var(--step--2);
  line-height: 1.5;
 }
 .fv-ok {
  color: var(--success, #2d6a4f);
 }
 .fv-error {
  color: var(--danger, #c1121f);
 }
 /* ── TFE file upload queue (.tfe-file-queue) ────────────────────────────── */
 .admin-files-fieldgroup {
--- a/app/public/assets/js/file-upload-queue.js
+++ b/app/public/assets/js/file-upload-queue.js
@@ -11,139 +11,245 @@
 * after swap without a global event listener.
 */
 window.XamxamInitFileUploads = function () {
-  console.log('[file-upload-queue] XamxamInitFileUploads called');
+	console.log("[file-upload-queue] XamxamInitFileUploads called");
-  var ICON = {
+	var ICON = {
-    pdf: '\uD83D\uDCC4', video: '\uD83C\uDFAC', audio: '\uD83D\uDD0A',
+		pdf: "\uD83D\uDCC4",
-    zip: '\uD83D\uDDDC\uFE0F', vtt: '\uD83D\uDCAC', image: '\uD83D\uDDBC\uFE0F', other: '\uD83D\uDCCE'
+		video: "\uD83C\uDFAC",
-  };
+		audio: "\uD83D\uDD0A",
 		zip: "\uD83D\uDDDC\uFE0F",
 		vtt: "\uD83D\uDCAC",
 		image: "\uD83D\uDDBC\uFE0F",
 		other: "\uD83D\uDCCE",
 	};
-  function iconFor(file) {
+	function iconFor(file) {
-    var t = file.type || '', n = file.name.toLowerCase();
+		var t = file.type || "",
-    if (/^image\//.test(t)) return ICON.image;
+			n = file.name.toLowerCase();
-    if (t === 'application/pdf' || /\.pdf$/.test(n)) return ICON.pdf;
+		if (/^image\//.test(t)) return ICON.image;
-    if (/^video\//.test(t) || /\.(mp4|webm|mov|ogv)$/.test(n)) return ICON.video;
+		if (t === "application/pdf" || /\.pdf$/.test(n)) return ICON.pdf;
-    if (/^audio\//.test(t) || /\.(mp3|ogg|oga|wav|flac|aac|m4a)$/.test(n)) return ICON.audio;
+		if (/^video\//.test(t) || /\.(mp4|webm|mov|ogv)$/.test(n))
-    if (/\.(zip|tar|gz|tgz)$/.test(n)) return ICON.zip;
+			return ICON.video;
-    if (/\.vtt$/.test(n)) return ICON.vtt;
+		if (/^audio\//.test(t) || /\.(mp3|ogg|oga|wav|flac|aac|m4a)$/.test(n))
-    return ICON.other;
+			return ICON.audio;
-  }
+		if (/\.(zip|tar|gz|tgz)$/.test(n)) return ICON.zip;
 		if (/\.vtt$/.test(n)) return ICON.vtt;
 		return ICON.other;
 	}
-  function humanSize(b) {
+	function humanSize(b) {
-    return b >= 1073741824 ? (b / 1073741824).toFixed(2) + ' GB'
+		return b >= 1073741824
-         : b >= 1048576   ? (b / 1048576).toFixed(2) + ' MB'
+			? (b / 1073741824).toFixed(2) + " GB"
-         : b >= 1024      ? (b / 1024).toFixed(1) + ' KB'
+			: b >= 1048576
-         : b + ' B';
+				? (b / 1048576).toFixed(2) + " MB"
-  }
+				: b >= 1024
 					? (b / 1024).toFixed(1) + " KB"
 					: b + " B";
 	}
-  function esc(s) { return s.replace(/[&<>"]/g, function(c){ return {'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;'}[c]; }); }
+	function esc(s) {
 		return s.replace(/[&<>"]/g, function (c) {
 			return { "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;" }[c];
 		});
 	}
-  // ── 1. TFE multi-file queue ────────────────────────────────────────────
+	// ── 1. TFE multi-file queue ────────────────────────────────────────────
-  var picker   = document.getElementById('tfe-files-input');
+	var picker = document.getElementById("tfe-files-input");
-  var queue    = document.getElementById('tfe-file-queue');
+	var queue = document.getElementById("tfe-file-queue");
-  var empty    = document.getElementById('tfe-file-queue-empty');
+	var empty = document.getElementById("tfe-file-queue-empty");
-  var sortHint = document.getElementById('tfe-file-queue-sort-hint');
+	var sortHint = document.getElementById("tfe-file-queue-sort-hint");
-  if (picker && queue) {
+	if (picker && queue) {
-    console.log('[file-upload-queue] init TFE queue picker=', picker, 'multiple=', picker.multiple);
+		console.log(
-    var fileArray = [];
+			"[file-upload-queue] init TFE queue picker=",
 			picker,
 			"multiple=",
 			picker.multiple,
 		);
 		var fileArray = [];
-    if (typeof Sortable !== 'undefined') {
+		if (typeof Sortable !== "undefined") {
-      Sortable.create(queue, { animation: 150, handle: '.fq-drag-handle', ghostClass: 'fq-ghost',
+			Sortable.create(queue, {
-        onEnd: function () {
+				animation: 150,
-          var items = queue.querySelectorAll('.fq-item');
+				handle: ".fq-drag-handle",
-          var newArr = Array.prototype.map.call(items, function (li) { return fileArray[parseInt(li.getAttribute('data-idx'), 10)]; });
+				ghostClass: "fq-ghost",
-          fileArray = newArr;
+				onEnd: function () {
-          renderQueue();
+					var items = queue.querySelectorAll(".fq-item");
-        }
+					var newArr = Array.prototype.map.call(items, function (li) {
-      });
+						return fileArray[parseInt(li.getAttribute("data-idx"), 10)];
-    }
+					});
 					fileArray = newArr;
 					renderQueue();
 				},
 			});
 		}
-    picker.onchange = function () {
+		picker.onchange = function () {
-      console.log('[file-upload-queue] onchange fired, files count:', picker.files.length, 'names:', Array.from(picker.files).map(function(f){return f.name}));
+			console.log(
-      fileArray = fileArray.concat(Array.from(picker.files));
+				"[file-upload-queue] onchange fired, files count:",
-      console.log('[file-upload-queue] fileArray after concat, length:', fileArray.length);
+				picker.files.length,
-      picker.value = '';
+				"names:",
-      renderQueue();
+				Array.from(picker.files).map(function (f) {
-    };
+					return f.name;
 				}),
 			);
 			fileArray = fileArray.concat(Array.from(picker.files));
 			console.log(
 				"[file-upload-queue] fileArray after concat, length:",
 				fileArray.length,
 			);
 			picker.value = "";
 			renderQueue();
 		};
-    function renderQueue() {
+		function renderQueue() {
-      queue.innerHTML = '';
+			queue.innerHTML = "";
-      if (!fileArray.length) { empty.style.display = ''; if (sortHint) sortHint.style.display = 'none'; injectHiddenFields([]); return; }
+			if (!fileArray.length) {
-      empty.style.display = 'none';
+				empty.style.display = "";
-      if (sortHint) sortHint.style.display = '';
+				if (sortHint) sortHint.style.display = "none";
-      fileArray.forEach(function (file, idx) {
+				injectHiddenFields([]);
-        var li = document.createElement('li');
+				return;
-        li.className = 'fq-item';
+			}
-        li.setAttribute('data-idx', idx);
+			empty.style.display = "none";
-        li.innerHTML =
+			if (sortHint) sortHint.style.display = "";
-          '<span class="fq-drag-handle" title="R\u00e9ordonner">\u2820</span>' +
+			fileArray.forEach(function (file, idx) {
-          '<span class="fq-icon">' + iconFor(file) + '</span>' +
+				var li = document.createElement("li");
-          '<span class="fq-info"><span class="fq-name">' + esc(file.name) + '</span>' +
+				li.className = "fq-item";
-          '<span class="fq-size">' + humanSize(file.size) + '</span></span>' +
+				li.setAttribute("data-idx", idx);
-          '<button type="button" class="admin-btn-remove fq-remove" aria-label="Retirer ' + esc(file.name) + '">&#x2715;</button>';
+				li.innerHTML =
-        li.querySelector('.fq-remove').onclick = (function (i) { return function () { fileArray.splice(i, 1); renderQueue(); }; })(idx);
+					'<span class="fq-drag-handle" title="R\u00e9ordonner">\u2820</span>' +
-        queue.appendChild(li);
+					'<span class="fq-icon">' +
-      });
+					iconFor(file) +
-      injectHiddenFields(Array.from(queue.querySelectorAll('.fq-item')));
+					"</span>" +
-    }
+					'<span class="fq-info"><span class="fq-name">' +
 					esc(file.name) +
 					"</span>" +
 					'<span class="fq-size">' +
 					humanSize(file.size) +
 					"</span></span>" +
 					'<button type="button" class="admin-btn-remove fq-remove" aria-label="Retirer ' +
 					esc(file.name) +
 					'">&#x2715;</button>';
 				li.querySelector(".fq-remove").onclick = (function (i) {
 					return function () {
 						fileArray.splice(i, 1);
 						renderQueue();
 					};
 				})(idx);
 				queue.appendChild(li);
 			});
 			injectHiddenFields(Array.from(queue.querySelectorAll(".fq-item")));
 		}
-    function injectHiddenFields(items) {
+		function injectHiddenFields(items) {
-      var form = picker.closest('form');
+			var form = picker.closest("form");
-      if (!form) return;
+			if (!form) return;
-      form.querySelectorAll('.fq-hidden-label, .fq-hidden-order').forEach(function (el) { el.remove(); });
+			form
-      items.forEach(function (li, sortedIdx) {
+				.querySelectorAll(".fq-hidden-label, .fq-hidden-order")
-        var label = li.querySelector('.fq-label');
+				.forEach(function (el) {
-        var lInp = document.createElement('input'); lInp.type = 'hidden'; lInp.name = 'file_labels[]'; lInp.value = label ? label.value : ''; lInp.className = 'fq-hidden-label'; form.appendChild(lInp);
+					el.remove();
-        var oInp = document.createElement('input'); oInp.type = 'hidden'; oInp.name = 'file_orders[]'; oInp.value = sortedIdx + 1; oInp.className = 'fq-hidden-order'; form.appendChild(oInp);
+				});
-      });
+			items.forEach(function (li, sortedIdx) {
-    }
+				var label = li.querySelector(".fq-label");
 				var lInp = document.createElement("input");
 				lInp.type = "hidden";
 				lInp.name = "file_labels[]";
 				lInp.value = label ? label.value : "";
 				lInp.className = "fq-hidden-label";
 				form.appendChild(lInp);
 				var oInp = document.createElement("input");
 				oInp.type = "hidden";
 				oInp.name = "file_orders[]";
 				oInp.value = sortedIdx + 1;
 				oInp.className = "fq-hidden-order";
 				form.appendChild(oInp);
 			});
 		}
-    // On submit, refresh hidden fields from current queue state
+		// On submit, refresh hidden fields from current queue state
-    var form = picker.closest('form');
+		var form = picker.closest("form");
-    if (form) form.addEventListener('submit', function () { injectHiddenFields(Array.from(queue.querySelectorAll('.fq-item'))); });
+		if (form)
-  }
+			form.addEventListener("submit", function () {
 				injectHiddenFields(Array.from(queue.querySelectorAll(".fq-item")));
 			});
 	}
-  // ── 2. Single-file previews (data-preview attribute) ────────────────────
+	// ── 2. Single-file previews (data-preview attribute) ────────────────────
-  document.querySelectorAll('input[type="file"][data-preview]').forEach(function (input) {
+	document
-    if (input.id === 'tfe-files-input') return;
+		.querySelectorAll('input[type="file"][data-preview]')
-    console.log('[file-upload-queue] binding preview for', input.id, 'multiple=', input.multiple);
+		.forEach(function (input) {
-    var container = document.getElementById(input.getAttribute('data-preview'));
+			if (input.id === "tfe-files-input") return;
-    if (!container) return;
+			console.log(
-    input.onchange = function () {
+				"[file-upload-queue] binding preview for",
-      container.innerHTML = '';
+				input.id,
-      Array.from(input.files).forEach(function (file) {
+				"multiple=",
-        var item = document.createElement('div'); item.className = 'fp-item';
+				input.multiple,
-        if (/^image\//.test(file.type)) {
+			);
-          var img = document.createElement('img'); img.className = 'fp-thumb'; img.alt = file.name;
+			var container = document.getElementById(
-          var reader = new FileReader();
+				input.getAttribute("data-preview"),
-          reader.onload = function (e) { img.src = e.target.result; };
+			);
-          reader.readAsDataURL(file);
+			if (!container) return;
-          item.appendChild(img);
+			input.onchange = function () {
-        } else {
+				container.innerHTML = "";
-          var ic = document.createElement('span'); ic.className = 'fp-icon'; ic.textContent = iconFor(file);
+				Array.from(input.files).forEach(function (file) {
-          item.appendChild(ic);
+					var item = document.createElement("div");
-        }
+					item.className = "fp-item";
-        var meta = document.createElement('span'); meta.className = 'fp-meta';
+					if (/^image\//.test(file.type)) {
-        meta.innerHTML = '<span class="fp-name">' + esc(file.name) + '</span><span class="fp-size">' + humanSize(file.size) + '</span>';
+						var img = document.createElement("img");
-        item.appendChild(meta);
+						img.className = "fp-thumb";
-        container.appendChild(item);
+						img.alt = file.name;
-      });
+						var reader = new FileReader();
-    };
+						reader.onload = function (e) {
-  });
+							img.src = e.target.result;
 						};
 						reader.readAsDataURL(file);
 						item.appendChild(img);
 					} else {
 						var ic = document.createElement("span");
 						ic.className = "fp-icon";
 						ic.textContent = iconFor(file);
 						item.appendChild(ic);
 					}
 					var meta = document.createElement("span");
 					meta.className = "fp-meta";
 					meta.innerHTML =
 						'<span class="fp-name">' +
 						esc(file.name) +
 						'</span><span class="fp-size">' +
 						humanSize(file.size) +
 						"</span>";
 					item.appendChild(meta);
 					container.appendChild(item);
 				});
 			};
 		});
-  // ── 3. Existing-files sortable (edit mode) ──────────────────────────────
+	// ── 3. Existing-files sortable (edit mode) ──────────────────────────────
-  var sortList = document.getElementById('existing-files-sortable');
+	var sortList = document.getElementById("existing-files-sortable");
-  if (sortList && typeof Sortable !== 'undefined') {
+	if (sortList && typeof Sortable !== "undefined") {
-    Sortable.create(sortList, { animation: 150, handle: '.admin-file-drag-handle', ghostClass: 'fq-ghost',
+		Sortable.create(sortList, {
-      onEnd: function () {
+			animation: 150,
-        sortList.querySelectorAll('input[name="file_sort_order[]"]').forEach(function (el) { el.remove(); });
+			handle: ".admin-file-drag-handle",
-        sortList.querySelectorAll('.admin-file-list-item[data-file-id]').forEach(function (li) {
+			ghostClass: "fq-ghost",
-          var inp = document.createElement('input'); inp.type = 'hidden'; inp.name = 'file_sort_order[]'; inp.value = li.getAttribute('data-file-id'); li.prepend(inp);
+			onEnd: function () {
-        });
+				sortList
-      }
+					.querySelectorAll('input[name="file_sort_order[]"]')
-    });
+					.forEach(function (el) {
-  }
+						el.remove();
 					});
 				sortList
 					.querySelectorAll(".admin-file-list-item[data-file-id]")
 					.forEach(function (li) {
 						var inp = document.createElement("input");
 						inp.type = "hidden";
 						inp.name = "file_sort_order[]";
 						inp.value = li.getAttribute("data-file-id");
 						li.prepend(inp);
 					});
 			},
 		});
 	}
 };
 // Bootstrap on page load
-if (document.readyState === 'loading') document.addEventListener('DOMContentLoaded', window.XamxamInitFileUploads);
+if (document.readyState === "loading")
 	document.addEventListener("DOMContentLoaded", window.XamxamInitFileUploads);
 else window.XamxamInitFileUploads();
--- a/app/public/partage/fichiers-fragment.php
+++ b/app/public/partage/fichiers-fragment.php
@@ -197,7 +197,7 @@ $hasAnnexesChecked = !empty($_POST['has_annexes']);
        $label    = 'Annexes :';
        $accept   = '.pdf,.zip,.tar,.gz';
        $hint     = 'PDF ou archives ZIP/TAR. Max 500 MB.';
-        $required = false;
+        $required = !$adminMode;
        $multiple = true;
        include APP_ROOT . '/templates/partials/form/file-field.php';
        ?>
--- a/app/public/partage/index.php
+++ b/app/public/partage/index.php
@@ -36,6 +36,13 @@ if ($slug === 'format-website-fragment' && $_SERVER['REQUEST_METHOD'] === 'POST'
    exit;
 }
 // Special route: /partage/validate-file-fragment (HTMX fragment — file MIME/size validation)
 if ($slug === 'validate-file-fragment' && $_SERVER['REQUEST_METHOD'] === 'POST') {
    App::boot();
    require_once __DIR__ . '/../../src/Controllers/validate-file-fragment-shared.php';
    exit;
 }
 // Special route: /partage/fichiers-fragment (HTMX fragment — format-aware fichiers block)
 if ($slug === 'fichiers-fragment' && $_SERVER['REQUEST_METHOD'] === 'POST') {
    App::boot();
--- a/app/src/Controllers/ThesisCreateController.php
+++ b/app/src/Controllers/ThesisCreateController.php
@@ -512,6 +512,12 @@ class ThesisCreateController
        $exemplaireErg  = !empty($post['exemplaire_erg']);
        $cc2r = !empty($post['cc2r']);
        // Annexes validation: if has_annexes is checked, at least one annexe file must be provided
        $hasAnnexes = !empty($post['has_annexes']);
        if (!$adminMode && $hasAnnexes && empty($_FILES['annexes']['name'][0])) {
            throw new Exception('Veuillez fournir au moins un fichier d\'annexe.');
        }
        return compact(
            'authorNames',
            'mail',
--- a/app/src/Controllers/validate-file-fragment-shared.php
+++ b/app/src/Controllers/validate-file-fragment-shared.php
@@ -0,0 +1,191 @@
 <?php
 /**
 * validate-file-fragment.php
 *
 * HTMX fragment: validates a single uploaded file against MIME type and size
 * constraints. Returns an inline error message or clears the file input wrapper.
 *
 * Expected POST (multipart/form-data):
 *   file         — the uploaded file
 *   field_name   — 'couverture' | 'note_intention' | 'tfe' | 'annexes'
 *   admin_mode   — '1' to skip validation (admins can upload anything)
 */
 require_once __DIR__ . '/../../bootstrap.php';
 $adminMode = ($_POST['admin_mode'] ?? '0') === '1';
 $fieldName = $_POST['field_name'] ?? '';
 // Read file from the field-name-specific key (e.g., $_FILES['couverture'], $_FILES['annexes'])
 // For multi-file inputs (name ends with []), the first file is validated.
 $rawFile = $_FILES[$fieldName] ?? null;
 if ($rawFile && is_array($rawFile['name'] ?? null)) {
    // Multi-file: flatten first entry
    $file = [
        'name'     => $rawFile['name'][0] ?? null,
        'tmp_name' => $rawFile['tmp_name'][0] ?? null,
        'error'    => $rawFile['error'][0] ?? UPLOAD_ERR_NO_FILE,
        'size'     => $rawFile['size'][0] ?? 0,
    ];
    // Validate ALL selected files (batch validation)
    $allFiles = [];
    $count = count($rawFile['name'] ?? []);
    for ($i = 0; $i < $count; $i++) {
        $allFiles[] = [
            'name'     => $rawFile['name'][$i] ?? null,
            'tmp_name' => $rawFile['tmp_name'][$i] ?? null,
            'error'    => $rawFile['error'][$i] ?? UPLOAD_ERR_NO_FILE,
            'size'     => $rawFile['size'][$i] ?? 0,
        ];
    }
 } else {
    $file = $rawFile;
    $allFiles = $file ? [$file] : [];
 }
 // ── No file provided — clear any existing validation state ──────────────────
 if (empty($allFiles)) {
    echo '';
    exit;
 }
 if ($adminMode) {
    // Admins: no validation, always OK
    $count = count($allFiles);
    echo '<span class="fv-ok">✓ ' . $count . ' fichier' . ($count > 1 ? 's' : '') . ' accepté' . ($count > 1 ? 's' : '') . '</span>';
    exit;
 }
 // ── MIME + extension whitelist per field type ────────────────────────────────
 $finfo = new finfo(FILEINFO_MIME_TYPE);
 $constraints = match ($fieldName) {
    'couverture' => [
        'mimes'       => ['image/jpeg', 'image/png', 'image/webp'],
        'exts'        => ['jpg', 'jpeg', 'png', 'webp'],
        'maxSize'     => 20 * 1024 * 1024,  // 20 MB
        'label'       => 'Image de couverture',
        'allowedDesc' => 'JPG, PNG ou WEBP',
        'maxSizeDesc' => '20 MB',
    ],
    'note_intention' => [
        'mimes'       => ['application/pdf'],
        'exts'        => ['pdf'],
        'maxSize'     => 100 * 1024 * 1024, // 100 MB
        'label'       => 'Note d\'intention',
        'allowedDesc' => 'PDF uniquement',
        'maxSizeDesc' => '100 MB',
    ],
    'tfe' => [
        'mimes'       => [
            'application/pdf',
            'image/jpeg', 'image/png', 'image/gif', 'image/webp',
            'video/mp4', 'video/webm', 'video/ogg', 'video/quicktime',
            'audio/mpeg', 'audio/mp3', 'audio/ogg', 'audio/wav',
            'audio/flac', 'audio/aac', 'audio/x-m4a', 'audio/mp4',
            'text/vtt',
            'application/zip', 'application/x-zip-compressed',
            'application/x-tar', 'application/gzip',
            'application/octet-stream',
        ],
        'exts'        => [
            'jpg', 'jpeg', 'png', 'gif', 'webp', 'pdf',
            'mp4', 'webm', 'ogv', 'mov',
            'mp3', 'ogg', 'oga', 'wav', 'flac', 'aac', 'm4a',
            'vtt', 'zip', 'tar', 'gz', 'tgz',
        ],
        'maxSize'     => 500 * 1024 * 1024, // 500 MB
        'label'       => 'Fichier TFE',
        'allowedDesc' => 'PDF, images, vidéos, audio, archives',
        'maxSizeDesc' => '500 MB',
    ],
    'annexes' => [
        'mimes'       => [
            'application/pdf', 'image/jpeg', 'image/png', 'image/gif', 'image/webp',
            'video/mp4', 'video/webm', 'video/ogg', 'video/quicktime',
            'audio/mpeg', 'audio/mp3', 'audio/ogg', 'audio/wav',
            'audio/flac', 'audio/aac', 'audio/x-m4a', 'audio/mp4',
            'text/vtt',
            'application/zip', 'application/x-zip-compressed',
            'application/x-tar', 'application/gzip',
            'application/octet-stream',
        ],
        'exts'        => [
            'jpg', 'jpeg', 'png', 'gif', 'webp', 'pdf',
            'mp4', 'webm', 'ogv', 'mov',
            'mp3', 'ogg', 'oga', 'wav', 'flac', 'aac', 'm4a',
            'vtt', 'zip', 'tar', 'gz', 'tgz',
        ],
        'maxSize'     => 500 * 1024 * 1024, // 500 MB
        'label'       => 'Annexe',
        'allowedDesc' => 'PDF, archives, images',
        'maxSizeDesc' => '500 MB',
    ],
    default => [
        'mimes'       => [],
        'exts'        => [],
        'maxSize'     => 500 * 1024 * 1024,
        'label'       => 'Fichier',
        'allowedDesc' => 'tous types',
        'maxSizeDesc' => '500 MB',
    ],
 };
 // ── Validate each file ──────────────────────────────────────────────────────
 $errors = [];
 $oks = [];
 foreach ($allFiles as $idx => $f) {
    if (($f['error'] ?? UPLOAD_ERR_NO_FILE) !== UPLOAD_ERR_OK) {
        continue;
    }
    $mimeType = $finfo->file($f['tmp_name']);
    $ext      = strtolower(pathinfo($f['name'], PATHINFO_EXTENSION));
    $size     = $f['size'];
    if ($mimeType === 'text/plain' && $ext === 'vtt') {
        $mimeType = 'text/vtt';
    }
    // PDF size limit
    $effMaxSize = $constraints['maxSize'];
    $effMaxDesc = $constraints['maxSizeDesc'];
    if ($mimeType === 'application/pdf' || $ext === 'pdf') {
        $effMaxSize = min($effMaxSize, 100 * 1024 * 1024);
        $effMaxDesc = '100 MB';
    }
    // Validate MIME
    $mimeOk = false;
    if ($mimeType === 'application/octet-stream' && !in_array($ext, $constraints['exts'], true)) {
        $mimeOk = false;
    } elseif (in_array($mimeType, $constraints['mimes'], true)) {
        $mimeOk = true;
    } elseif (in_array($ext, $constraints['exts'], true)) {
        $mimeOk = true;
    }
    if (!$mimeOk) {
        $errors[] = '✕ <em>' . htmlspecialchars($f['name']) . '</em> : type non accepté.'
                  . ' Formats acceptés : ' . htmlspecialchars($constraints['allowedDesc']) . '.';
        continue;
    }
    if ($size > $effMaxSize) {
        $mb = round($size / 1024 / 1024, 1);
        $errors[] = '✕ <em>' . htmlspecialchars($f['name']) . '</em> : fichier trop volumineux ('
                   . $mb . ' MB). Maximum : ' . htmlspecialchars($effMaxDesc) . '.';
        continue;
    }
    $oks[] = '✓ <em>' . htmlspecialchars($f['name']) . '</em> : ' . round($size / 1024 / 1024, 1) . ' MB';
 }
 // ── Output ────────────────────────────────────────────────────────────────────
 if (!empty($errors)) {
    echo '<span class="fv-error">' . implode('<br>', $errors) . '</span>';
 } elseif (!empty($oks)) {
    echo '<span class="fv-ok">' . implode('<br>', $oks) . '</span>';
 } else {
    echo '';
 }
--- a/app/templates/admin/acces.php
+++ b/app/templates/admin/acces.php
@@ -207,6 +207,19 @@
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: yztqkpzz 9c95f5ce "fix: TFE and annexes files not saved, plus keyword validation and file preview CSS" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: yztqkpzz 9c95f5ce "fix: TFE and annexes files not saved, plus keyword validation and file preview CSS" (rebased revision)
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 -                        $linkName = $link['name'] ?? '';
 -                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff from: somsyvxz 14a3cd10 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebase destination)
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\        to: uvnvvyny 8b83eae7 "fix: req annexes, add HTMX inline file validation (MIME/size)" (rebased revision)
                         $linkName = $link['name'] ?? '';
                         $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                         $linkLockedYear = $link['locked_year'] ?? null;
 +%%%%%%% diff from: somsyvxz 249f7943 "Bulk bar anti-shift, tags icons, AP no-wrap, credits reorder" (rebased revision)
 +\\\\\\\        to: uvnvvyny 09c854ea "fix: req annexes, add HTMX inline file validation (MIME/size)" (rebased revision)
 ++                        $linkName = $link['name'] ?? '';
 ++                        $linkExpiresVal = $link['expires_at'] ? date('Y-m-d\TH:i', strtotime($link['expires_at'])) : '';
                    ?>
                    <tr class="admin-table-row" onclick="event.stopPropagation(); window.open('/partage/<?= urlencode($link['slug']) ?>', '_blank')" style="cursor:pointer">
--- a/app/templates/partials/form/file-field.php
+++ b/app/templates/partials/form/file-field.php
@@ -10,19 +10,35 @@
 *   bool        $required  — whether the field is required; default false
 *   bool        $multiple  — whether to allow multiple file selection; default false
 *   string|null $id        — override the id attribute (defaults to $name)
 *   string|null $fieldName — validation field name for HTMX inline validation ('couverture', 'note_intention', 'tfe', 'annexes')
 */
-$accept   = $accept   ?? '';
+$accept    = $accept    ?? '';
-$hint     = $hint     ?? null;
+$hint      = $hint      ?? null;
-$hintRaw  = $hintRaw  ?? false; // when true, $hint is emitted as raw HTML
+$hintRaw   = $hintRaw   ?? false; // when true, $hint is emitted as raw HTML
-$required = $required ?? false;
+$required  = $required  ?? false;
-$multiple = $multiple ?? false;
+$multiple  = $multiple  ?? false;
-$id       = $id       ?? $name;
+$id        = $id        ?? $name;
 $fieldName = $fieldName ?? $name; // validation field name
 $previewId = 'fp-' . htmlspecialchars($id);
 // Determine HTMX POST endpoint for inline file validation
 if (defined('ADMIN_MODE') && ADMIN_MODE) {
    $validateUrl = '/admin/validate-file-fragment.php';
 } else {
    $validateUrl = '/partage/validate-file-fragment';
 }
 ?>
 <div>
    <label for="<?= htmlspecialchars($id) ?>"><?= htmlspecialchars($label) ?><?= $required ? ' <span class="asterisk">*</span>' : '' ?></label>
-    <div class="admin-file-input">
+    <div class="admin-file-input"
         hx-post="<?= htmlspecialchars($validateUrl) ?>"
         hx-encoding="multipart/form-data"
         hx-trigger="change from:input[type='file']"
         hx-target="find .file-validation-msg"
         hx-swap="innerHTML"
         hx-include="[name='admin_mode'], [name='edit_mode'], [name='field_name']">
        <input type="hidden" name="field_name" value="<?= htmlspecialchars($fieldName) ?>">
        <input type="file"
               id="<?= htmlspecialchars($id) ?>"
               name="<?= htmlspecialchars($name) ?><?= $multiple ? '[]' : '' ?>"
@@ -30,6 +46,7 @@ $previewId = 'fp-' . htmlspecialchars($id);
               <?= $multiple ? 'multiple' : '' ?>
               <?= $required ? 'required' : '' ?>
               data-preview="<?= $previewId ?>">
        <div class="file-validation-msg" aria-live="polite"></div>
        <div id="<?= $previewId ?>" class="file-preview-list" aria-live="polite"></div>
        <?php if ($hint): ?>
        <small><?= $hintRaw ? $hint : htmlspecialchars($hint) ?></small>
@@ -37,4 +54,4 @@ $previewId = 'fp-' . htmlspecialchars($id);
    </div>
 </div>
 <?php
-unset($accept, $hint, $hintRaw, $required, $multiple, $id, $previewId);
+unset($accept, $hint, $hintRaw, $required, $multiple, $id, $fieldName, $previewId, $validateUrl);