# Post-ERG – Dependency & Refactoring Analysis ## Summary The project has **zero external PHP library dependencies** (no Composer, no vendor/). All PHP logic relies exclusively on standard PHP extensions: PDO/SQLite, `finfo`, `session_*`, `password_verify`, `hash_equals`, `random_bytes`, `json_*`, SPL iterators. There is one vendored CSS file (`modern-normalize.min.css`, 1 file, 8 lines). The only real problems are **internal structural bugs** and **dead code paths**, not third-party dependencies. The tasks below are ordered from critical to nice-to-have. --- ## Critical Bugs (broken at runtime) - [x] **Fix broken `lib/` require paths in all admin pages** Admin pages (`add.php`, `edit.php`, `import.php`, `thanks.php`, `login.php`, `logout.php`, `actions/formulaire.php`, `actions/publish.php`) all require `../../lib/AdminAuth.php` and `../../lib/Database.php`, but the `lib/` directory **does not exist**. The actual files live in `src/`. This means the entire admin panel is broken. Fix: change all `lib/` references to `src/`. - [x] **Fix missing `modern-normalize.css` (no `.min` variant)** `templates/header.php`, `templates/head.php`, and `public/search.php` reference `assets/modern-normalize.css` (without `.min`), but only `modern-normalize.min.css` exists. Either rename the file or update the references to be consistent. - [x] **Fix `admin/index.php` inconsistency** `admin/index.php` uses `src/AdminAuth.php` (correct) but then `../../lib/Database.php` (broken). It should load from `src/` consistently. --- ## Structural / Code-Quality Refactors - [ ] **Unify and rename `src/` path references across the entire codebase** After fixing the `lib/` → `src/` migration, normalise every admin page to load `src/Database.php` and `src/AdminAuth.php` via `APP_ROOT` (the constant already defined in `bootstrap.php`), removing the fragile relative-path `../../` chains. - [x] **Eliminate the duplicate `searchTheses` / `countSearchResults` condition block** `Database::searchTheses()` and `Database::countSearchResults()` share identical WHERE-clause construction logic (~80 lines each). Extract a private `buildSearchConditions(array $params): array` helper that returns `[$conditions, $bindings]` and call it from both methods. - [ ] **Remove `getConnection()` / `getPDO()` alias duplication** The `Database` class exposes `getConnection()`, `getPDO()`, and direct transaction delegation (`beginTransaction`, `commit`, `rollback`) purely because the admin code accesses raw PDO. Consider removing `getConnection()` (alias of `getPDO()`) and instead promoting the most-used raw queries into `Database` methods, reducing direct PDO exposure. - [x] **Move inline SQL in `admin/index.php` into `Database`** `admin/index.php` builds a raw SQL query with dynamic filter conditions directly in the page. This is the only admin page doing so. Add a `getThesesList(array $filters): array` method to `Database` to match the pattern used everywhere else. - [ ] **Add a `getThesisByIdAdmin(int $id): ?array` method to remove repeated raw queries in admin** `admin/thanks.php` and `admin/edit.php` each call `$db->getThesis($id)` then immediately issue further raw PDO queries for related data (`thesis_languages`, `thesis_formats`, files). Consolidate into a method that returns everything needed for the admin detail view. --- ## What Can Be Removed / Simplified - [x] **Remove `include_template()` helper from `bootstrap.php` — it is never called** The function `include_template($name)` in `config/bootstrap.php` is dead code; pages use direct `include APP_ROOT . '/templates/...'` instead. - [x] **Remove the Composer autoload stub from `bootstrap.php`** `bootstrap.php` has `if (file_exists(APP_ROOT . '/vendor/autoload.php'))` — there is no Composer vendor directory and no plan for one. Remove this dead branch. - [x] **Delete `apps/admin/` directory** `apps/admin/` contains only `data/` (empty with test data) and `error.log` and `test.db`. It appears to be a leftover from an earlier structure. If confirmed unused, delete it. - [x] **Remove `apps/` directory entirely if it contains only residual artefacts** Related to the above — verify no active code references `apps/`. --- ## What Needs External Dependencies (nothing — keep it that way) - **Authentication**: `password_verify` + `session_*` + `random_bytes` — already standard PHP. No dependency needed. - **Database**: PDO + SQLite — already standard PHP. No dependency needed. - **Rate limiting**: File-based JSON sliding window — already implemented without deps. Could be replaced by Redis/APCu at scale, but unnecessary for current load. - **File serving / MIME validation**: `finfo` (fileinfo extension) — standard PHP bundled extension. - **CSRF**: `hash_equals` + `random_bytes` — standard PHP. No dependency needed. - **CSS reset** (`modern-normalize`): The single vendored file (8 lines, minified) is small enough to keep vendored. No CDN link, no build step. ✓ --- ## Testing Infrastructure - [x] **Fix `SearchTest.php` — it calls `searchTheses()` with a string, not an array** `$db->searchTheses('art')` passes a string, but `searchTheses()` expects `array $params`. This test would throw a TypeError at runtime. Fix the call to `$db->searchTheses(['query' => 'art'])`. - [ ] **Add a test for the `lib/` → `src/` path fix once it is applied** After the path fix, add a smoke test that `require`-s each admin page's dependencies to catch future regressions. --- ## Low Priority / Nice-to-Have - [ ] **Normalise `modern-normalize` to a single canonical filename** Pick either `.min.css` or `.css` and use it everywhere. Prefer `.min.css` since the file is already minified. - [ ] **Consider extracting file-upload logic from `formulaire.php` into `Database`** File validation, directory creation, and `insertThesisFile()` are scattered across `formulaire.php`. Wrapping them in a `Database::attachFile()` or a dedicated `FileUploadHandler` class would make `formulaire.php` much shorter and the upload logic testable. - [ ] **Unify `head.php` vs `header.php` templates** The public site has both `templates/head.php` (shared `` tag) and `templates/header.php` (full `` + `
`). `tfe.php` uses `head.php` and renders its own ``, while `index.php` uses `header.php`. This split is confusing. Consider making `header.php` the single entry point.