# posterg

Répertoire des travaux de fin d'études de l'[ERG](https://erg.be) (École de Recherche Graphique).

## Requirements

- PHP 8.4
- SQLite3 (`php8.4-sqlite3`)
- nginx (production)

## Project structure

```
posterg/
├── public/          # DocumentRoot — web-accessible only
│   ├── admin/       # Admin panel (session-authenticated)
│   ├── assets/      # CSS, fonts, icons
│   ├── media.php    # Controlled file serving (covers, PDFs)
│   └── *.php        # Public pages (index, search, tfe, apropos)
├── src/             # PHP classes (not web-accessible)
│   ├── AdminAuth.php
│   ├── Database.php
│   ├── RateLimit.php
│   └── config.php
├── templates/       # Shared PHP template partials
├── config/          # Bootstrap and credentials (not web-accessible)
├── storage/         # Database and uploaded files (not web-accessible)
│   ├── schema.sql
│   ├── test.db
│   └── fixtures/
├── tests/
├── scripts/         # Dev and server management scripts
│   ├── setup-dev.sh
│   ├── deploy-server.sh      # Run on server with sudo to apply nginx config
│   └── manage-admin-users.sh # Run on server with sudo to manage htpasswd
└── nginx/           # nginx config and reference files
    └── posterg.conf
```

Uploaded files (PDFs, covers) live in `storage/` — outside the webroot — and are
served exclusively through `public/media.php`, which validates paths and MIME types.

## Development

```bash
just setup   # first-time: installs dev dependencies
just serve   # http://localhost:8000  (public) and /admin/
just test    # run test suite
```

Admin credentials in development are set via `config/admin_credentials.php`
(see `config/admin_credentials.example.php`).

## Deployment

Files are pushed to the server with rsync — there is no repo on the remote.

```bash
just deploy     # rsync app files → posterg:/var/www/posterg/
just deploy-db  # push local test.db → remote (only if remote DB is absent)
```

`deploy-db` refuses to run if a database already exists on the server, to avoid
accidental overwrites of production data.

### First-time server setup

```bash
ssh posterg
sudo mkdir -p /var/www/posterg
sudo chown www-data:posterg /var/www/posterg
sudo chmod 775 /var/www/posterg
exit
```

Then deploy once, copy nginx config, and apply:

```bash
just deploy
rsync -v nginx/posterg.conf posterg:/tmp/posterg.conf
ssh posterg "sudo bash /var/www/posterg/scripts/deploy-server.sh"
ssh posterg "sudo systemctl reload nginx"
```

### Admin users (htpasswd)

```bash
ssh posterg "sudo bash /var/www/posterg/scripts/manage-admin-users.sh"
```

## Security notes

- Admin panel protected by nginx `auth_basic` + PHP session (`AdminAuth`)
- Uploads stored outside webroot, served via controlled `media.php`
- Rate limiting on public search (`src/RateLimit.php`)
- See `docs/TODO.SECURITY.md` for outstanding items