mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-06-25 16:19:19 +02:00
79eddf5d5a
1. note_intention: Delete old file only when a genuinely new upload arrives
(32-char hex file_id), not when the FilePond pool preserves an existing
file by sending its DB integer ID. Previously the DB integer ID
triggered $hasNewNote=true, which deleted the existing note_intention
from disk+DB, then handleFilePondSingleFile couldn't re-process it
because the regex requires a hex pattern. Same fix applied to cover.
2. All file deletions now use deleteThesisFileToTrash() which renames
files to tmp/_trash/ instead of unlinking. The trash preserves
original filenames prefixed with DB id for traceability. Skips
website URLs and PeerTube refs (no disk file).
3. Storage prefix changed from theses/ to documents/ to reflect that
the folder holds all document types (determined by file_type in DB).
MediaController visibility gate supports both prefixes for backward
compat with existing files.
4. File browser + relink feature for orphaned files:
- /admin/fragments/file-browser.php — HTMX tree browser for
storage/documents/ and storage/theses/
- /admin/actions/filepond/relink.php — POST endpoint that inserts
a thesis_files row pointing to existing on-disk file
- Per-pool "📂 Relier" buttons (edit mode only)
- JS: XamxamOpenFileBrowser / XamxamRelinkFile with FilePond integration
- CSS: .relink-modal dialog + .file-browser tree styles
114 lines
4.6 KiB
PHP
114 lines
4.6 KiB
PHP
<?php
|
|
/**
|
|
* Student-access link actions (create, toggle, set_password, archive).
|
|
*/
|
|
require_once __DIR__ . '/../../../bootstrap.php';
|
|
require_once __DIR__ . '/../../../src/AdminAuth.php';
|
|
require_once __DIR__ . '/../../../src/ShareLink.php';
|
|
require_once __DIR__ . '/../../../src/AdminLogger.php';
|
|
|
|
error_log('[acces-etudiante.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));
|
|
|
|
App::adminGuard();
|
|
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST'
|
|
|| !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
|
|
|| !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
|
|
http_response_code(403);
|
|
exit('CSRF token invalide.');
|
|
}
|
|
|
|
$action = $_POST['action'] ?? '';
|
|
$id = isset($_POST['id']) ? intval($_POST['id']) : 0;
|
|
$shareLink = ShareLink::make();
|
|
$logger = AdminLogger::make();
|
|
|
|
switch ($action) {
|
|
case 'create':
|
|
$name = !empty($_POST['name']) ? trim($_POST['name']) : null;
|
|
$expiresRaw = !empty($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
|
|
$expiresAt = null;
|
|
if ($expiresRaw) {
|
|
$expiresAt = date('Y-m-d H:i:s', strtotime($expiresRaw));
|
|
if ($expiresAt <= date('Y-m-d H:i:s')) {
|
|
App::redirect('/admin/acces.php', error: "La date d'expiration doit être dans le futur.");
|
|
}
|
|
}
|
|
$objetRaw = $_POST['objet_restriction'] ?? ['tfe'];
|
|
$validObjet = ['tfe', 'thèse', 'frart'];
|
|
$selected = is_array($objetRaw) ? array_intersect($objetRaw, $validObjet) : [];
|
|
$objetRestriction = !empty($selected) ? implode(',', $selected) : 'tfe';
|
|
$lockedYearRaw = $_POST['locked_year'] ?? null;
|
|
$lockedYear = null;
|
|
if ($lockedYearRaw !== null && $lockedYearRaw !== '') {
|
|
$lockedYear = filter_var($lockedYearRaw, FILTER_VALIDATE_INT);
|
|
if ($lockedYear === false || $lockedYear < 2000 || $lockedYear > ((int)date('Y') + 3)) {
|
|
$lockedYear = null;
|
|
}
|
|
}
|
|
$link = $shareLink->create(1, $expiresAt, $objetRestriction, $name, $lockedYear);
|
|
$logger->logLinkCreate(
|
|
$link['slug'] ?? '',
|
|
true, // Always has password
|
|
$expiresAt,
|
|
$objetRestriction
|
|
);
|
|
// Flash the generated password and slug for display in the modal
|
|
$_SESSION['_flash_new_link_slug'] = $link['slug'] ?? '';
|
|
$_SESSION['_flash_new_link_password'] = $link['_plain_password'] ?? '';
|
|
App::redirect('/admin/acces.php', success: 'Lien d\'accès créé.');
|
|
break;
|
|
|
|
case 'toggle':
|
|
if ($id > 0) {
|
|
$nowActive = $shareLink->toggleActive($id);
|
|
$logger->logLinkToggle($id, $nowActive);
|
|
App::redirect('/admin/acces.php', success: 'Statut du lien modifié.');
|
|
} else {
|
|
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
|
|
}
|
|
break;
|
|
|
|
case 'set_password':
|
|
if ($id > 0) {
|
|
$password = isset($_POST['password']) && $_POST['password'] !== '' ? trim($_POST['password']) : null;
|
|
$shareLink->setPassword($id, $password);
|
|
$logger->logLinkPasswordChange($id, $password === null);
|
|
App::redirect('/admin/acces.php', success: 'Mot de passe mis à jour.');
|
|
} else {
|
|
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
|
|
}
|
|
break;
|
|
|
|
case 'archive':
|
|
if ($id > 0) {
|
|
$shareLink->archive($id);
|
|
$logger->logLinkArchive($id);
|
|
App::redirect('/admin/acces.php', success: 'Lien archivé.');
|
|
} else {
|
|
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
|
|
}
|
|
break;
|
|
|
|
case 'update':
|
|
if ($id > 0) {
|
|
$name = isset($_POST['name']) ? trim($_POST['name']) : null;
|
|
$expiresRaw = isset($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
|
|
// locked_year: null=not sent (keep), ""=clear, otherwise year string
|
|
$lockedYearRaw = $_POST['locked_year'] ?? null;
|
|
$lockedYear = null; // default: not sent → don't change
|
|
if ($lockedYearRaw !== null) {
|
|
$lockedYear = $lockedYearRaw; // pass through: "" for clear, "2026" for set
|
|
}
|
|
$shareLink->update($id, $name, $expiresRaw, $lockedYear);
|
|
App::redirect('/admin/acces.php', success: 'Lien mis à jour.');
|
|
} else {
|
|
App::redirect('/admin/acces.php', error: 'Lien introuvable.');
|
|
}
|
|
break;
|
|
|
|
default:
|
|
App::redirect('/admin/acces.php', error: 'Action inconnue.');
|
|
break;
|
|
}
|