PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
b7be93e30bc28cf7fdf45c22a3b8ce4c0934e04d
xamxam/TODO.md
Pontoporeia b7be93e30b Security: rate limiting and flash messaging for partage share links 
- Add rate limiting (5 submissions per IP per 10 min, per share link)
  to prevent abuse of shared submission endpoints
- Replace all plain die() error responses with styled flash messages
  and redirects (invalid slug, disabled link, expired link, wrong password,
  rate limit exceeded, CSRF failure)
- Add dedicated error page renderer for disabled/expired links with
  home page link
- Password gate now uses flash message via session redirect instead
  of inline error variable
2026-04-16 13:07:16 +02:00

34 lines
2.5 KiB
Markdown
Raw Blame History

# TODO
- [x] Make thanks.php respect student mode (no header, centered "add new form" button)
- [x] Add hidden input `student_mode` in add.php form when in student mode
- [x] Append `mode=student` to thanks redirect in formulaire.php
- [x] Update thanks.php to detect student mode, hide header, show centered button
- [x] Cleanup public/admin/add.php — standardise fieldsets and add licence explanation sections from docs PDF
- [x] Organise all fields into `<fieldset>/<legend>` blocks: Informations du TFE, Composition du jury, Cadre académique, Fichiers, Métadonnées complémentaires
- [x] Remove double-wrapping of jury-fieldset (it has its own `<fieldset>`)
- [x] Add "Degrés d'ouverture et licences" section (Libre / Interne / Interdit + Généralités) wrapped in `if ($studentMode)` — hidden in admin
- [x] Migrate student mode form to shareable links system (/partage/<form-url>)
- [x] Create `share_links` database table (id, slug YYYYMMDD-random, password_hash, is_active, usage_count, created_by, created_at, expires_at nullable)
- [x] Create `ShareLink` model — generate slugs, validate, verify password, CRUD
- [x] Create `public/partage/index.php` — public form page (no auth required, validates link active + password if set)
- [x] Create `public/partage/.htaccess` — RewriteRule to route all partage paths to index.php
- [x] Create `public/partage/thanks.php` — post-submission confirmation page
- [x] Move student-specific licence explanation fieldset to partage form template
- [x] Share-link specific CSRF token (session-scoped `share_csrf_<slug>`) instead of session CSRF
- [x] Create admin page for managing student access links
- [x] Create `public/admin/student-access.php` — "Accès étudiant·e" page
- [x] Link to new page from admin navigation
- [x] Implement list view of all share links with status (active/disabled, password set, usage count, created date)
- [x] Implement create new link modal/form (optional expiration, password)
- [x] Implement toggle active/disabled status per link
- [x] Implement password set/change/clear per link
- [x] Implement delete link action
- [x] Copy-to-clipboard button for full partage URL
- [x] Security and validation considerations
- [x] Rate limiting on form submissions per share link — integrate RateLimit into partage index.php POST handler
- [x] Add flash messages / error handling for invalid/disabled/password-protected links — replace plain die() with styled error pages and flash messages
Reference in New Issue View Git Blame Copy Permalink