PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
291 Commits 1 Branch 0 Tags
27e1b6828d574dd22180e0ff2847b98a3f832fd7
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Pontoporeia 27e1b6828d Implement TFE file access restriction feature (complete) 
Requirements:
- parametres.php toggle: 'restricted_files_enabled' enables/disables the feature
- Public TFE page: when enabled + access_type=Interne, hides files, shows French
  restriction message + access request form (metadata/synopsis still visible)
- ERG emails (@erg.school / @erg.be): auto-approve, send 24h access link immediately
- External emails: show justification textarea, create pending request, notify admin
- Admin panel /admin/file-access.php: approve/reject requests with optional notes,
  sends access email on approval (linked from admin nav with pending count badge)

Security:
- One-time 24h email tokens (used_at + is_valid=0 on first click)
- Token redeemed via POST /validate-access (GET shows confirmation page only)
- Long-lived 30-day browser session in file_access_sessions table
- Cookie: HttpOnly + Secure + SameSite=Strict
- CSRF on all mutations, rate limiting on request submission
- Audit trail: IP, UA, event, timestamp in file_access_audit

Bug fixes:
- admin/file-access.php: $vars never extract()ed → page was blank
- Template had self-contained head/footer includes (double-include)
- Admin approval URL used $requestId instead of $request['thesis_id']
- App::boot() now starts session so CSRF token works on public pages
- Dispatcher routes /validate-access and /request-access through front controller
2026-04-27 20:20:52 +02:00
app
Implement TFE file access restriction feature (complete)
2026-04-27 20:20:52 +02:00
docs
fix: mark languages as required, add required-field visual indicators on both forms
2026-04-20 16:19:55 +02:00
nginx
feat: single entry point routing — convert to front controller pattern
2026-04-20 12:42:15 +02:00
scripts
refactor: remove test.db, use only posterg.db for all environments
2026-04-27 18:07:20 +02:00
.gitignore
Updated gitignore to keep cache folder but exclude rate_limit logs
2026-04-27 19:33:23 +02:00
.ignore
ops: simplify justfile, guard deploy-db, extract scripts, fix .gitignore
2026-03-02 16:08:45 +01:00
justfile
refactor: remove test.db, use only posterg.db for all environments
2026-04-27 18:07:20 +02:00
pi-session-2026-04-27T17-46-41-486Z_019dd00c-edcd-70f7-8ad0-2c3994b48903.html
Implement TFE file access restriction feature (complete)
2026-04-27 20:20:52 +02:00
README.md
refactor: remove test.db, use only posterg.db for all environments
2026-04-27 18:07:20 +02:00
TODO.md
Implement TFE file access restriction feature (complete)
2026-04-27 20:20:52 +02:00

README.md

XAMXAM

(Anciennement Posterg

Répertoire des travaux de fin d'études de l'ERG (École de Recherche Graphique).

Requirements

  • PHP 8.4
  • SQLite3 (php8.4-sqlite3)
  • nginx (production)

Development

just setup   # first-time: installs dev dependencies
just serve   # http://localhost:8000  (public) and /admin/
just test    # run test suite

Admin credentials in development are set via config/admin_credentials.php (see config/admin_credentials.example.php).

Deployment

Files are pushed to the server with rsync — there is no repo on the remote.

just deploy     # rsync app files → posterg:/var/www/posterg/
just deploy-db  # push local posterg.db → remote (only if remote DB is absent)

deploy-db refuses to run if a database already exists on the server, to avoid accidental overwrites of production data.

First-time server setup

ssh posterg
sudo mkdir -p /var/www/posterg
sudo chown www-data:posterg /var/www/posterg
sudo chmod 775 /var/www/posterg
exit

Then deploy once and apply nginx config:

just deploy
just deploy-nginx

Admin users (htpasswd)

just manage-admin-users
# Then on server:
ssh posterg "sudo bash /tmp/manage-admin-users.sh"

Security notes

  • Admin panel protected by nginx auth_basic + PHP session (AdminAuth)
  • Uploads stored outside webroot, served via controlled media.php
  • Rate limiting on public search (src/RateLimit.php)
  • See nginx/docs/SECURITY_HEADERS.md for security headers reference

Mise en place Dev

MacOS

Logiciels:

  • un IDE pour éditer → VSCode
  • git (ou une interface graphique) pour partager les modifications → git-gui (officiel) ou Github Desktop
  • un server web avec PHP pour visualiser le project dans le navigateur → MAMP

Workflow

  1. Faire un changement dans ton IDE
  2. Démarrer le site via MAMP, en sélectionnant le dossier public
  3. Vérifier que ça marche sur le site en local, depuis ton navigateur
  4. Une fois qu'un changement spécifique est fait, commit les changements sur les fichiers qui sont relatif à ce changement
  5. Vérifier que vous avez syncroniser avec le remotepull + rebase ! pas merge
  6. push les changements vers le remote
Reference in New Issue View Git Blame Copy Permalink
Description
Site permettant de consulter la collection de TFE de l'erg
Readme 74 MiB
Languages
PHP 80.5%
CSS 14.9%
Shell 2.8%
JavaScript 1.3%
Just 0.5%