- Fix 413 Request Entity Too Large: bump client_max_body_size to 256M,
PHP post_max_size/upload_max_filesize to 256M, fastcgi timeouts to 300s
- Fix missing v_smtp_active view: add IF NOT EXISTS to all CREATE VIEW
statements in schema.sql for idempotent migrates
- Fix bars.svg 404: create animated SVG spinner in app/public/assets/img/
- Fix nginx rate limiting: increase admin zone from 60r/m (1 r/s) to
300r/m (5 r/s) with burst=30 to handle ~11 concurrent HTMX fragment
GETs on contenus.php page load
- Add deploy-nginx recipe to justfile for uploading nginx config to server
- Database readonly issue mitigated by existing --chown + deploy-server.sh
permissions fix
- Add comprehensive PHP/JS debugging logs for settings checkboxes:
per-field raw POST values in error_log, console.log on htmx:beforeSend,
htmx:sendError, htmx:afterRequest, toast lifecycle
- Fix toast auto-remove script: use getElementById with unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
feat(admin): add htmx toast feedback for settings checkboxes in contenus.php
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Fix checkbox unresponsive after toggles: move hidden value="0" inputs
outside <label> to prevent HTML label double-activation
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
feat(admin): add htmx toast feedback for settings checkboxes in contenus.php
- Replace hx-swap="none" with hx-target on response divs inside each of the
three fieldsets (Restrictions d'accès, Degré d'ouverture, Types de travaux)
- Add hxToastSuccess / hxToastError helpers in settings.php that return HTML
toast fragments with self-referencing auto-dismiss after 3s
- Each response div has aria-live="polite" for accessibility
- Add comprehensive PHP/JS debugging logs:
- settings.php logs raw POST values per field before resolving to 0/1
- checkboxes have hx-on::before-request and hx-on::after-request console.log
- global htmx:beforeSend and htmx:sendError listeners in admin footer
- toast lifecycle logged (creation + removal) for traceability
- Fix toast auto-remove: use getElementById with random unique ID instead
of querySelector which could remove wrong toast on rapid clicks
- Fix checkbox unresponsive after toggles: remove hidden value="0" inputs entirely; unchecked checkboxes are simply absent from POST and server treats missing key as 0
outside <label> to prevent HTML label double-activation
- Follows the Django+HTMX ajax checkbox pattern from the reference tutorial
- about.php: use EmailObfuscator::email() for contact email link text instead of htmlspecialchars
- SearchController: raise rate limit from 30 to 300 req/min
- request-access.php: raise rate limit from 3 to 30 req/10min
- partage/index.php: raise rate limit from 5 to 50 req/10min
- contenus.php: make Libre option toggleable (remove disabled class), move to top of Degré d'ouverture, remove temporary note about next academic year
jury-fieldset.php called old('jury_promoteur') as a global function,
but the partage context defines old(array $data, string $key) —
passing a string where array is expected caused a TypeError.
Changed jury-fieldset.php to use $oldFn callable (like fieldset-tfe-info.php),
with fallback to global old() when not provided. The add-mode repopulation
block no longer calls the global old() directly.
recapitulatif.php (partage):
- Center .thanks-success and add bottom margin/padding
- Display ALL fields: identifier, synopsis, languages, formats,
jury (all roles), baiu link, license, access type
- Add validation notice asking user to verify info, with
xamxam@erg.be contact link (email obfuscated)
StudentEmail:
- Add 'Note contextuelle' and license_custom to email recap
- Rename 'Promoteur·ice(s)' to 'Promoteur·ice(s) interne'
- Change email message to ask student to verify info + contact
for errors
CSV export/import:
- Add 3 new CSV columns: Lecteur·ice(s) interne,
Lecteur·ice(s) externe, Promoteur·ice(s) ULB
- Export splits supervisors by role/is_external/is_ulb into
separate columns
- Import inserts supervisors with correct role, is_external,
and is_ulb flags (was: all treated as generic supervisors)
- Add header matching for short distinguishers (ulb, externe)
via str_contains fallback
- Fix undefined $isExternalUrl in tfe.php (moved after assignment)
- Disable PeerTube rendering in tfe.php entirely
- Migration 028: drop banner_path from theses with proper view handling
- Drop dependent views before column, recreate without banner_path
- Remove broken 027_drop_banner_path.sql
- Move 025_fix_oui_non_artefacts.sql and 021_peertube_settings.sql to applied/
- Add scripts/ensure-db.php to init fresh DB from schema.sql when missing
- Update deploy justfile to run ensure-db.php before migrations
- Fix promoteurice array repopulation in partage form:
- Fix old() to return raw arrays (not json_encode) so callers can iterate
- Handle jury_promoteur[] and jury_promoteur_ulb_name[] arrays properly
- Delete file-upload-queue.js (495 lines of custom queue logic)
- Delete sortable.min.js dependency
- Add file-upload-filepond.js: thin wrapper that upgrades .tfe-file-picker
inputs to FilePond instances with storeAsFile:true for native multipart
form submission (no form-submit interception needed)
- Update fichiers-fragment.php: replace queue container <ul> elements
and empty-state <p> with bare <input> elements that FilePond upgrades;
change name attributes to queue_file[tfe][] etc. for PHP compatibility
- Update add.php, edit.php, partage/index.php: swap JS/CSS refs
- Clean up form.css: remove .fq-* and .tfe-file-queue custom styles,
add FilePond theme overrides matching xamxam design tokens
- Update dead-code fieldset-files.php for consistency
Server-side stays unchanged: PHP receives ['queue_file']['tfe'][]
exactly as before through native multipart submission.
The checkbox-list partial defaulted hx-include to 'this, #website-url-fieldset',
but #website-url-fieldset only exists when `Site web` is checked in the
format list. Every language checkbox click triggered a no-match warning
and a cascade triggering the known HTMX internal-data crash.
- Replace fetch(redirect:manual) with XMLHttpRequest in file-upload-queue.js.
The previous fetch-based redirect detection was broken because opaque
redirects hide the Location header. XHR's responseURL reliably exposes
the final URL after server-side redirects.
- Add console.log tracing at every decision point in submit interception:
entry, hasFiles check, enctype check, double-submit guard, XHR status,
redirect detection, error fallback.
- Add error_log entry-point logging to all 16 admin action files plus
the partage/index.php submission handler and password gate. Each logs:
request method, content type/length, POST keys, file counts, and
queue-specific file counts where applicable.
- Add double-submit guard (_xamxamActiveSubmit) to prevent duplicate
XHR sends when the native submit handler fires after interception.
Drops the session-backed HTMX incremental upload system in favour of a
single JS module that manages `File` objects client-side and injects
them into `FormData` on submit.
Key changes:
* `file-upload-queue.js`: client-side queues with validation, reorder
(SortableJS), removal, dirty-state tracking, and fetch-based submit
with manual redirect handling
* `fichiers-fragment.php`: empty queue containers for JS-managed queues;
HTMX format switching still works with queue rehydration after swap;
annexe uploads now support multiple files
* Form UI cleanup: moved existing files and cover preview into the
`Fichiers` fieldset (edit mode); removed redundant queue labels while
keeping labels for single-file inputs (`couverture`,
`note d'intention`); added delete buttons for existing files
* `ThesisFileHandler.php`: added
`handleTfeQueueFiles()`/`handleAnnexeQueueFiles()` reading from
`$_FILES['queue_file']`; introduced `extractFilesSubArray()` for
nested upload arrays; removed session-based queue handling
* `ThesisCreateController.php` &
`ThesisEditController.php`: switched to extracted
`['queue_file']` uploads
* `beforeunload-guard.js`: now also watches
`window.__xamxamDirty`
* Deleted obsolete PHP upload/remove/reorder queue endpoints for
`partage` and `admin`
* Cleaned up route dispatch in `partage/index.php`
* Misc form and styling updates in templates/CSS
* Added `docs/cms-migration-plan.html`
- Wrap file-field.php validation in <form> to scope hx-include (fixes
cross-field contamination where cover change triggered note_intention
validation)
- Add inline MIME/size validation to upload-tfe-file.php
- Add inline validation to PeerTube video/audio and direct video/audio
file inputs in format-extras-block
- Fallback in validate-file-fragment-shared.php: if field_name doesn't
match any $_FILES key, try the first uploaded file (handles
PeerTube inputs where name differs from field_name)
- Fix file-field.php admin_mode using $adminMode variable instead of
undefined ADMIN_MODE constant
Replace the client-side FileArray + Sortable drag-to-reorder with a
server-side session-based upload flow:
- New endpoints: /partage/upload-tfe-file, /partage/remove-tfe-file
(and /admin/ variants) — single-file incremental upload via HTMX
multipart/form-data with progress bar support
- Session storage: uploaded files go to STORAGE_ROOT/uploads/{session_id}/
with metadata in $_SESSION['tfe_uploads']
- file-upload-queue.js reduced to single-file previews only (couverture,
note_intention, annexes thumbnails)
- ThesisFileHandler gains handleTfeFilesFromSession + writeTfeFileFromSrc
+ cleanupSessionUploads for final commit from session temp
- Sortable.min.js removed from all script tags; drag handles and ghost
CSS removed
- No file_orders[]/file_labels[] hidden field injection needed
- Upload queue survives page refresh (server-owned list)
This eliminates the SortableJS dependency entirely while keeping the
same UX: pick files, see them in a queue, remove individual files.
Added EmailObfuscator class (src/EmailObfuscator.php) that converts
email addresses to HTML decimal entities (e.g. foo@...)
so browsers render them correctly but bots and scrapers see gibberish.
Methods:
- email($addr): obfuscate for display in HTML content
- mailto($addr): return obfuscated mailto: href
- obfuscateHtml($html): post-process rendered HTML to obfuscate all
mailto: links (used after Parsedown/Markdown rendering)
Applied to:
- partage/index.php: mailto link at top + error scenarios via _flash_contact
flag rendered in form.php (outside htmlspecialchars to avoid double-escape)
- admin/acces.php: request email mailto links
- admin/file-access.php: request email mailto links
- public/about.php: contact email mailto links
- public/tfe.php: author contact mailto links
- AboutController: Parsedown output post-processing
- LicenceController: Parsedown output post-processing
- Dispatcher::render(): require_once EmailObfuscator for all public views
Also fixed _flash_contact session flag in form.php partial to show
contact email line on share link validation errors (separate from
flash_error/warning to bypass htmlspecialchars double-escaping).
The share link (partage) form does not expose a license field and does
not send access_type_id (defaults to 2/Interne). Server-side validation
was unconditionally requiring a license for non-admin submissions,
causing all share link submissions to fail.
Now the license check is gated on adminMode=false AND accessTypeId=1
(Libre), matching the client-side HTMX fragment behaviour in
licence-fragment.php. Also fixed a use-before-definition where
accessTypeId was referenced before being assigned.
Student form improvements:
- Add xamxam@erg.be mailto link at top of form
- On validation error, append "Si le problème persiste, envoyez un
e-mail à xamxam@erg.be" to the flash message
- Preserve uploaded file names across validation redirects: store in
session (share_primed_files_<slug>), display as warning on form
re-render so the student knows which files to re-select
- License: only required for non-admin when access_type_id=1 (Libre),
not for Interne (2) or Interdit (3). Fixes share link submissions
failing with "Veuillez sélectionner une licence". Also fixed
use-before-definition of accessTypeId.
- mots-clé and language where sharing the same q variable for the input value; they now have unique variables.
The admin language-search-fragment was missing App::boot() which the tag-search
fragment had. This caused the language suggestion dropdown to not return results
in Firefox. Both fragments now follow the same bootstrap pattern.
Rewrote language-search-fragment.php to use the same clean pattern as
tag-search-fragment.php: ->searchLanguages(), simple exact match check,
no predefined exclusion list. Both fragments now share identical structure.
fix: exclude main languages (français, anglais, néerlandais) from language-search suggestions
- Rename 'Éditer Données Secondaires' → 'Données Secondaires', remove fieldset wrapper on Mots-clés link
- Create admin-toc.php partial: IntersectionObserver-based sidebar nav
- Include TOC on contenus.php, acces.php, parametres.php
- Add .admin-with-toc flex layout (sidebar + main) and .admin-toc CSS
- Fonts (Ductus, BBB DM Sans): verified loaded via variables.css → common.css import chain
- TOC: move inside <main> as <aside>, content in <article>, fix scrolling
- Lazy load: hx-trigger='load delay:100ms' with spinner (htmx-indicator) for tags/langues
- Inline rename: edit button in Nom cell, HTMX post for rename, validate+ cancel buttons
- Checkbox column: width:1% / fit-content
- Remove per-row merge forms/selects, only bulk merge when ≥2 checkboxes selected
- Remove per-row merge dialogs, keep only bulk merge and delete dialogs
- Add htmx-settling CSS transition for lazy-load fade-in
- Update acces.php/parametres.php: article layout, TOC inside main
- TOC: DOMContentLoaded guard, use <nav>+<a> directly instead of <ul>/<li>
- Section spacing: margin-bottom on sections and fieldsets in admin-main--toc
- Language dedup: GROUP BY LOWER(name) in getAllLanguagesWithCount and searchLanguages
- deduplicateLanguages() merges duplicate names and reassigns thesis_languages
- Sticky bulk-actions: position:sticky;top:0;z-index:10
- Tags toolbar: title left, stat count right (margin-left:auto), search bar under
- Tags count stat updated via hx-swap-oob from fragment
- Remove margin/max-width from .admin-main--toc
- Gap between TOC and article: --space-xs, sticky top: --space-xs
- Main padding: --space-s / --space-m / --space-xl (was --space-l/--space-l/--space-2xl)
- Article padding-top: --space-m
- Removed 'Supprimer tous les TFE' danger zone from parametres (template, dialog,
backend handler, Database::deleteAllTheses(), AdminLogger method)
- Moved Formulaire section (access type toggles, restricted files) from parametres
to contenus under new h2 'Paramètres du Formulaire'
- Moved Types de travaux from parametres to contenus as sub-section under
Paramètres du Formulaire
- Existing 'Structure du formulaire' section now a sub-heading (h3) under
Paramètres du Formulaire in contenus
- Sub-sections: Restrictions d'accès aux fichiers, Degré d'ouverture,
Types de travaux, Structure du Formulaire
- Added siteSettings query to contenus controller
Mirrors the mots-clé tag-search system: dropdown suggestions from
existing languages via HTMX, pill display with bin-icon remove buttons,
'Créer' option for new languages. Replaces the plain text input.
- New partial: templates/partials/form/language-search.php
- New fragment: public/partage/language-search-fragment.php
- Admin wrapper: public/admin/language-search-fragment.php
- Updated language-autre-fragment to return just the required asterisk indicator
- Updated both controllers to handle language_autre as array (pill-based)
with backward-compatible string path
- Updated edit form to compute selectedOtherLanguages from DB
- Registered new route in partage/index.php
- Fix CSV importer: split comma-separated language column into individual entries
- Add htmx active search to admin index, title line-clamp, predefined languages only in checkboxes
- Admin index: filter form now uses htmx triggers (input delay:300ms on search,
change on selects) to actively search without page reload
- Sort links include hx-push-url for back-button support
- Added loading indicator bar (.admin-search-indicator)
- Title column: line-clamp at 2 lines with overflow hidden, native title attr
tooltip for full text
- Language checkboxes now show only 3 predefined languages (Français, Anglais,
Néerlandais); all others go via the Autre langue search component
- Added Database::getPredefinedLanguages() and excluded predefined from
language-search-fragment suggestions
- Included hidden sort/dir inputs in table-wrap so sort state preserved across
filter changes
- Fix language-search: block 'Créer' for predefined languages in dropdown
The 'Créer' option in the language-search dropdown now also checks against the
predefined set (français, anglais, néerlandais) to avoid offering creation of
languages that already exist as checkboxes.
- v_theses_full: author_email→contact_interne, author_show_contact→contact_public
- Updated schema.sql and live DB view
- Renamed all PHP variables: currentAuthorEmail→contactInterne, currentAuthorShowContact→contactPublic
- Restored contact_interne backoffice field with proper wiring (takes precedence over mail field)
- Updated admin/add.php, admin/edit.php, partage/index.php, public/tfe.php templates
- findOrCreateAuthor: always update email column (pass null when empty/falsy) so clearing an email actually persists
- admin/add.php & admin/edit.php old(): add null guard before htmlspecialchars, cast to string
- jury-fieldset.php: guard against old() returning array for scalar-checked jury_lecteur keys
- formulaire.php: only suppress display_errors in production (not cli-server dev mode)
- Removed dead contact_interne field from backoffice form (no DB column, never saved)
- Removed dead contactInterne validation from ThesisCreateController
- Added "— Non défini" radio option for access_type_id in admin mode for clearing
- Fixed strict int-vs-string comparison breaking radio button checked detection
- ErrorHandler tests: 77 assertions covering FK extraction, normalization, dedup, edge cases. Fix FK table map for child tables.
- Fix FK violation: (int)null → 0 in createThesis for orientation/ap/finality/license FK columns. Add FK value logging to updateThesis.
- Add CURRENT_ISSUES.md with summary of FK violation, dev debugging, and tag dedup status for next conversation
- Remove admin-bulk-meta__default (TFE count bar) — only bulk actions on selection
- Move #bulk-form out of table wrapper to avoid nested forms (was breaking
per-row publish/unpublish which submitted to bulk form instead)
- execBulk() now populates #bulk-checkboxes with hidden inputs from checked boxes
- Add event.stopPropagation() to edit link and delete+publish forms so
clicking actions doesn't navigate the row to recapitulatif
- Delete button: only opens confirm modal, no row nav
Move the is_published checkbox from its own separate Publication fieldset
into the Backoffice fieldset (as item #8). This means the publish control
is now present in both add and edit admin forms (previously it was only
shown in edit mode via $showPublish).
- Replace mb_strlen/mb_substr/mb_strtolower with strlen/substr/strtolower
(mbstring extension missing on server, causing fatal error)
- Scope annexes checkbox HTMX swap to #annexes-input-block with hx-select
(prevents duplicating entire page inside Fichiers fieldset)
- Split format+fichiers response: #format-fichiers-block (stable) and
#format-extras-block (swappable, inside Fichiers fieldset). Format
checkboxes use hx-select to extract only the extras, preserving file queue.
- Keep format extras inline in Fichiers fieldset (no sub-fieldsets). Remove
website legend input (URL only).
- When PeerTube upload disabled, show direct file upload inputs for
video/audio (name=files[]).
- Add "Glissez-déposez" sort hint below TFE file queue.
- Fix .fq-name overflow with width:0;min-width:100% chain.
- Remove legend placeholder from .fq-item.
- Merge "Récits et expérimentation" AP into "Narration Spéculative".
Rename PACS to "Pratique de lart - outils critiques, arts et contexte
simultanés".
- Remove président·e field from jury fieldset, form templates, and
controller validation. Keep DB column and display logic for existing data.
- Add baseline input[type="checkbox"] and input[type="radio"] styling
in common.css (accent-color, size, cursor, flex-shrink)
- Give select a solid background (var(--bg-primary)) and its own focus rule
- Remove now-redundant checkbox accent-color/size from
.admin-checkbox-label (form.css) and .param-checkbox (admin.css)
- Simplify .search-filter-select (repertoire.css) to inherit common
select defaults (border, background, arrow icon)
- Keep all layout-specific classes in form.css and admin.css intact
- Add baseline input[type="checkbox"] and input[type="radio"] styling
in common.css (accent-color, size, cursor, flex-shrink)
- Give select its own rule block with same shape as text inputs
(transparent background, same padding/border/radius/focus)
- Remove now-redundant checkbox accent-color/size from
.admin-checkbox-label (form.css) and .param-checkbox (admin.css)
- Simplify .search-filter-select (repertoire.css) to inherit common
select defaults
- Keep all layout-specific classes in form.css and admin.css intact
- Remove bottom-border/border-radius:0 overrides from .admin-form,
.admin-inline-form, .param-form, and .param-grid inputs/selects
- Change required-field indicator from border-bottom-style to
border-style: dashed to work with full-border approach
- Update param-grid aria-invalid from border-bottom-color to border-color
- All text inputs, selects, and textareas now inherit the full-border
style from common.css (border, border-radius, padding, focus ring)
- .password-gate input[password]: remove redundant padding override
- .retry-email-form input[email]: remove redundant border/border-radius/
padding/box-sizing, keep only font-size (larger) and width
- .tfe-access-request-form input/textarea: remove broken references to
undefined vars (--border, --background, --accent), now inherit from
common.css. Remove redundant focus rule.
- .fhb-name-input: strip redundant padding/border/radius/font-size/font
- .admin-inline-form input/select: strip redundant font-size
- .param-checkbox: remove font-size (inherits from body)
- .param-checkbox small: remove redundant color + font-size (common.css small already sets both)
- .param-note: remove font-size
- .param-account-status: remove font-size
- .param-smtp-test-row label: remove display:block + font-size (common.css label)
- .param-smtp-status: remove font-size
- .param-grid label: remove font-size
- Remove .param-form legend padding override (now inherits common.css legend)
- Remove .param-danger-zone legend padding override
- Remove .param-export-zone legend padding override
- Remove .param-fieldset-inline legend entirely (only rule was padding)
- Remove .licence-explanation legend entirely (all properties identical to common.css legend)
- All fieldsets now consistently use common.css fieldset padding
(0 var(--space-m) var(--space-m) var(--space-m))
- The common.css fieldset has padding-top: 0, which leaves checkboxes
and other content tight against the legend. Add var(--space-s) top
padding so the first content row has proper spacing from the legend.
