xamxam/app/public/admin/actions/filepond/load.php

<?php
/**
 * FilePond load endpoint — streams an existing thesis file back to FilePond.
 *
 * GET /admin/actions/filepond/load.php?id={db_id}
 *
 * Used in edit mode to restore saved files into the FilePond UI.
 */

require_once __DIR__ . '/../../../../bootstrap.php';
require_once __DIR__ . '/../../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../../src/ErrorHandler.php';

AdminAuth::requireLogin();

// ── Only accept GET ──────────────────────────────────────────────────────
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
    http_response_code(405);
    die('Méthode non autorisée.');
}

// ── Validate db_id ───────────────────────────────────────────────────────
$dbId = filter_var($_GET['id'] ?? '', FILTER_VALIDATE_INT);
if ($dbId === false || $dbId <= 0) {
    http_response_code(400);
    die('ID invalide.');
}

// ── Look up file in DB (validation of thesis ownership is implicit via admin auth + DB lookup) ──
require_once APP_ROOT . '/src/Database.php';
$db = new Database();

// Fetch thesis_files row by its own primary key
$pdo   = $db->getConnection();
$stmt  = $pdo->prepare('SELECT * FROM thesis_files WHERE id = ?');
$stmt->execute([$dbId]);
$fileRow = $stmt->fetch();

if (!$fileRow) {
    http_response_code(404);
    die('Fichier introuvable.');
}

$filePath = $fileRow['file_path'] ?? '';
$fileName = $fileRow['file_name'] ?? basename($filePath);
$mimeType = $fileRow['mime_type'] ?? 'application/octet-stream';

// ── PeerTube entries: return a placeholder SVG blob so FilePond can display them ─┐
if (str_starts_with($filePath, 'peertube_ids:')) {
    $uuid = substr($filePath, strlen('peertube_ids:'));
    $isVideo = ($fileRow['file_type'] ?? '') === 'video';
    $svg = $isVideo
        ? '<svg xmlns="http://www.w3.org/2000/svg" width="180" height="120" viewBox="0 0 180 120"><rect width="180" height="120" fill="#1a1a2e"/><polygon points="70,35 70,85 125,60" fill="#e94560"/><text x="90" y="110" text-anchor="middle" font-family="sans-serif" font-size="10" fill="#aaa">PeerTube ' . htmlspecialchars($uuid) . '</text></svg>'
        : '<svg xmlns="http://www.w3.org/2000/svg" width="180" height="120" viewBox="0 0 180 120"><rect width="180" height="120" fill="#1a1a2e"/><circle cx="55" cy="60" r="20" fill="none" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="48" x2="95" y2="38" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="60" x2="110" y2="60" stroke="#4ecca3" stroke-width="3"/><line x1="72" y1="72" x2="95" y2="82" stroke="#4ecca3" stroke-width="3"/><text x="90" y="110" text-anchor="middle" font-family="sans-serif" font-size="10" fill="#aaa">PeerTube ' . htmlspecialchars($uuid) . '</text></svg>';
    header('Content-Type: image/svg+xml');
    header('Content-Length: ' . strlen($svg));
    header('Content-Disposition: inline; filename="peertube.svg"');
    header('Cache-Control: no-cache');
    echo $svg;
    exit;
}
if (str_starts_with($filePath, 'http://') || str_starts_with($filePath, 'https://')) {
    http_response_code(404);
    die('URL — pas de flux direct.');
}

// ── Resolve absolute path ────────────────────────────────────────────────
$absPath = STORAGE_ROOT . '/' . $filePath;

if (!file_exists($absPath) || !is_readable($absPath)) {
    http_response_code(404);
    die('Fichier absent du disque.');
}

// ── Stream the file ──────────────────────────────────────────────────────
$fileSize = filesize($absPath);

// Content-Disposition: inline so FilePond receives it as a valid file
header('Content-Type: ' . $mimeType);
header('Content-Length: ' . $fileSize);
header('Content-Disposition: inline; filename="' . addslashes($fileName) . '"');
header('Cache-Control: no-cache');

readfile($absPath);
exit;