- Remove 'Mots-clés' button from toolbar (redundant with admin sidebar tags)
- Replace export dialog with 'Exporter CSV' + 'Exporter fichiers' buttons in bulk selection bar
- Export dispatcher now accepts ?ids=1,2,3 for per-selection export
- All ExportController/Database methods accept optional thesisIds array
- Graceful error message when ZipArchive extension is missing on server
- Move DB export (SQLite download) to paramètres → Maintenance section
- Sticky table column headers (position: sticky, top: 0, z-index: 5) for index page table
1. note_intention: Delete old file only when a genuinely new upload arrives
(32-char hex file_id), not when the FilePond pool preserves an existing
file by sending its DB integer ID. Previously the DB integer ID
triggered $hasNewNote=true, which deleted the existing note_intention
from disk+DB, then handleFilePondSingleFile couldn't re-process it
because the regex requires a hex pattern. Same fix applied to cover.
2. All file deletions now use deleteThesisFileToTrash() which renames
files to tmp/_trash/ instead of unlinking. The trash preserves
original filenames prefixed with DB id for traceability. Skips
website URLs and PeerTube refs (no disk file).
3. Storage prefix changed from theses/ to documents/ to reflect that
the folder holds all document types (determined by file_type in DB).
MediaController visibility gate supports both prefixes for backward
compat with existing files.
4. File browser + relink feature for orphaned files:
- /admin/fragments/file-browser.php — HTMX tree browser for
storage/documents/ and storage/theses/
- /admin/actions/filepond/relink.php — POST endpoint that inserts
a thesis_files row pointing to existing on-disk file
- Per-pool "📂 Relier" buttons (edit mode only)
- JS: XamxamOpenFileBrowser / XamxamRelinkFile with FilePond integration
- CSS: .relink-modal dialog + .file-browser tree styles
Extract shared filepond logic into src/FilepondHandler.php class.
Admin filepond endpoints delegate to the handler after AdminAuth check.
New partage filepond endpoints at /partage/actions/filepond/ verify
share_active session flag + CSRF token, no admin auth required.
JS reads filepond-base meta tag to determine endpoint path:
- Admin pages: /admin/actions/filepond (via head.php isAdmin check)
- Partage form: /partage/actions/filepond (explicit meta)
partage/index.php sets share_active = true on form render, cleans up on
successful submit. Partage process endpoint rate-limited to 30/5min per
session. No nginx changes needed — /partage/ location already handles
PHP without auth_basic.
- Remove separate video/audio/peertube_video/peertube_audio pools from UI
- TFE pool now accepts all file types including video/audio
- When PeerTube is enabled, video/audio dropped into TFE pool auto-upload
to PeerTube (process.php detects MIME and uploads immediately)
- PeerTube return IDs now encode type: peertube:video:UUID or peertube:audio:UUID
- load.php returns placeholder SVG for PeerTube files so they appear in FilePond
- Edit mode: all existing files (including PeerTube) shown in TFE FilePond pool
- Remove legacy video/audio/peertube_* handling from both controllers
- Remove unused vide/audio/peertube_* entries from JS QUEUE_CONFIG
- Renamed section from 'Relay SMTP' to 'Emails'
- Merged 'Expéditeur par défaut' fieldset into the main SMTP grid
- Removed separate 'from_email' field: now uses username as from_email
- Changed username label from 'Nom d\'utilisateur' to 'Adresse e-mail'
with placeholder xamxam@erg.be and type=email
- from_name and notify_email now inline in the main grid after password
- Fix 413 Request Entity Too Large: bump client_max_body_size to 256M,
PHP post_max_size/upload_max_filesize to 256M, fastcgi timeouts to 300s
- Fix missing v_smtp_active view: add IF NOT EXISTS to all CREATE VIEW
statements in schema.sql for idempotent migrates
- Fix bars.svg 404: create animated SVG spinner in app/public/assets/img/
- Fix nginx rate limiting: increase admin zone from 60r/m (1 r/s) to
300r/m (5 r/s) with burst=30 to handle ~11 concurrent HTMX fragment
GETs on contenus.php page load
- Add deploy-nginx recipe to justfile for uploading nginx config to server
- Database readonly issue mitigated by existing --chown + deploy-server.sh
permissions fix
- Add comprehensive PHP/JS debugging logs for settings checkboxes:
per-field raw POST values in error_log, console.log on htmx:beforeSend,
htmx:sendError, htmx:afterRequest, toast lifecycle
- Fix toast auto-remove script: use getElementById with unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
feat(admin): add htmx toast feedback for settings checkboxes in contenus.php
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Fix checkbox unresponsive after toggles: move hidden value="0" inputs
outside <label> to prevent HTML label double-activation
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
feat(admin): add htmx toast feedback for settings checkboxes in contenus.php
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Fix checkbox unresponsive after toggles: remove hidden value="0" inputs entirely; unchecked checkboxes are simply absent from POST and server treats missing key as 0
outside <label> to prevent HTML label double-activation
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
- Replace fetch(redirect:manual) with XMLHttpRequest in file-upload-queue.js.
The previous fetch-based redirect detection was broken because opaque
redirects hide the Location header. XHR's responseURL reliably exposes
the final URL after server-side redirects.
- Add console.log tracing at every decision point in submit interception:
entry, hasFiles check, enctype check, double-submit guard, XHR status,
redirect detection, error fallback.
- Add error_log entry-point logging to all 16 admin action files plus
the partage/index.php submission handler and password gate. Each logs:
request method, content type/length, POST keys, file counts, and
queue-specific file counts where applicable.
- Add double-submit guard (_xamxamActiveSubmit) to prevent duplicate
XHR sends when the native submit handler fires after interception.
Mirrors the mots-clé tag-search system: dropdown suggestions from
existing languages via HTMX, pill display with bin-icon remove buttons,
'Créer' option for new languages. Replaces the plain text input.
- New partial: templates/partials/form/language-search.php
- New fragment: public/partage/language-search-fragment.php
- Admin wrapper: public/admin/language-search-fragment.php
- Updated language-autre-fragment to return just the required asterisk indicator
- Updated both controllers to handle language_autre as array (pill-based)
with backward-compatible string path
- Updated edit form to compute selectedOtherLanguages from DB
- Registered new route in partage/index.php
- Fix CSV importer: split comma-separated language column into individual entries
- Add htmx active search to admin index, title line-clamp, predefined languages only in checkboxes
- Admin index: filter form now uses htmx triggers (input delay:300ms on search,
change on selects) to actively search without page reload
- Sort links include hx-push-url for back-button support
- Added loading indicator bar (.admin-search-indicator)
- Title column: line-clamp at 2 lines with overflow hidden, native title attr
tooltip for full text
- Language checkboxes now show only 3 predefined languages (Français, Anglais,
Néerlandais); all others go via the Autre langue search component
- Added Database::getPredefinedLanguages() and excluded predefined from
language-search-fragment suggestions
- Included hidden sort/dir inputs in table-wrap so sort state preserved across
filter changes
- Fix language-search: block 'Créer' for predefined languages in dropdown
The 'Créer' option in the language-search dropdown now also checks against the
predefined set (français, anglais, néerlandais) to avoid offering creation of
languages that already exist as checkboxes.
- findOrCreateAuthor: always update email column (pass null when empty/falsy) so clearing an email actually persists
- admin/add.php & admin/edit.php old(): add null guard before htmlspecialchars, cast to string
- jury-fieldset.php: guard against old() returning array for scalar-checked jury_lecteur keys
- formulaire.php: only suppress display_errors in production (not cli-server dev mode)
- Removed dead contact_interne field from backoffice form (no DB column, never saved)
- Removed dead contactInterne validation from ThesisCreateController
- Added "— Non défini" radio option for access_type_id in admin mode for clearing
- Fixed strict int-vs-string comparison breaking radio button checked detection
- ErrorHandler tests: 77 assertions covering FK extraction, normalization, dedup, edge cases. Fix FK table map for child tables.
- Fix FK violation: (int)null → 0 in createThesis for orientation/ap/finality/license FK columns. Add FK value logging to updateThesis.
- Add CURRENT_ISSUES.md with summary of FK violation, dev debugging, and tag dedup status for next conversation
- Hardcode source code URL and credits in about template, remove from DB/admin interface; only contacts remains editable
- Merge apropos editables into one À propos section, remove charte, add editable source code URL
- toast-fragment.php: 204 early-exit now also checks flash['warning'];
previously the warning was consumed by consumeFlash() then silently dropped
- partage/index.php: store warning as plain text; htmlspecialchars() applied
once at render time — previously htmlspecialchars() was called inside the
stored string then again at output, producing ' entities etc.
- partage/index.php: flash-warning div gets id + tabindex=-1; inline JS
scrolls it into view and focuses it on DOMContentLoaded
- admin/footer.php: htmx:afterSettle listener focuses .toast--warning after
HTMX injects the toast fragment into #toast-region
- Add DuplicateThesisException (typed, carries existing thesis metadata)
- Add Database::findDuplicateThesis(): matches on year + author + normalised
title (exact, prefix, Levenshtein ≤10% of longer string)
- ThesisCreateController::submit() runs duplicate check before any DB write
and throws DuplicateThesisException on match
- AppLogger::logDuplicate() writes status=duplicate entries to the JSON-lines
log for audit purposes
- App::flash/consumeFlash extended to support 'warning' flash type
- admin/actions/formulaire.php: catches DuplicateThesisException, logs it,
flashes an HTML warning toast with a clickable link to the existing thesis,
and repopulates the form fields
- partage/index.php: same catch block; surfaces a plain-text flash-warning
banner on the student form with identifier, title, and year of the match;
form is repopulated via session
- toast.php: renders toast--warning variant
- admin.css: .toast--warning + link colour rules
- form.css: .flash-warning style for the partage form
Requirements:
- parametres.php toggle: 'restricted_files_enabled' enables/disables the feature
- Public TFE page: when enabled + access_type=Interne, hides files, shows French
restriction message + access request form (metadata/synopsis still visible)
- ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately
- External emails: show justification textarea, create pending request, notify admin
- Admin panel /admin/file-access.php: approve/reject requests with optional notes,
sends access email on approval (linked from admin nav with pending count badge)
Security:
- One-time 24h email tokens (used_at + is_valid=0 on first click)
- Token redeemed via POST /validate-access (GET shows confirmation page only)
- Long-lived 30-day browser session in file_access_sessions table
- Cookie: HttpOnly + Secure + SameSite=Strict
- CSRF on all mutations, rate limiting on request submission
- Audit trail: IP, UA, event, timestamp in file_access_audit
Bug fixes:
- admin/file-access.php: $vars never extract()ed → page was blank
- Template had self-contained head/footer includes (double-include)
- Admin approval URL used $requestId instead of $request['thesis_id']
- App::boot() now starts session so CSRF token works on public pages
- Dispatcher routes /validate-access and /request-access through front controller
