mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-05-07 11:39:18 +02:00
592b1183db
All admin action files (account, tag, page, edit, visibility, maintenance,
publish, formulaire) now call App::flash('error'|'success', ...) instead of
writing to raw per-page session keys ($_SESSION['error'], 'admin_error',
'edit_error', 'admin_success', 'edit_success', 'form_error').
All admin display pages (add, edit, account, tags, pages, index) now include
templates/partials/flash-messages.php instead of manually reading and
unsetting the legacy session keys and inlining their own alert HTML.
App::consumeFlash() already drained all legacy key variants as a safety net,
so the partial works correctly whether called from pages that were already
migrated or any remaining stragglers. No behaviour change for end users.
101 lines
3.1 KiB
PHP
101 lines
3.1 KiB
PHP
<?php
|
|
// Bootstrap application
|
|
require_once __DIR__ . "/../../../config/bootstrap.php";
|
|
require_once __DIR__ . '/../../../src/AdminAuth.php';
|
|
|
|
/**
|
|
* Handle publish/unpublish actions for theses
|
|
*/
|
|
// PHP-level auth guard (defence-in-depth behind nginx Basic Auth)
|
|
AdminAuth::requireLogin();
|
|
|
|
require_once __DIR__ . '/../../../src/Database.php';
|
|
|
|
// Verify CSRF token
|
|
if (!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
|
|
App::flash('error', "Erreur de sécurité : token invalide.");
|
|
header('Location: ../index.php');
|
|
exit;
|
|
}
|
|
|
|
$action = isset($_POST['action']) ? $_POST['action'] : '';
|
|
$isBulk = isset($_POST['bulk']) && $_POST['bulk'] == '1';
|
|
|
|
if (!in_array($action, ['publish', 'unpublish'])) {
|
|
App::flash('error', "Action invalide.");
|
|
header('Location: ../index.php');
|
|
exit;
|
|
}
|
|
|
|
try {
|
|
$db = new Database();
|
|
$pdo = $db->getPDO();
|
|
|
|
$isPublished = ($action === 'publish') ? 1 : 0;
|
|
|
|
if ($isBulk) {
|
|
// Handle bulk action
|
|
$thesisIds = isset($_POST['selected_theses']) ? $_POST['selected_theses'] : [];
|
|
|
|
if (empty($thesisIds)) {
|
|
App::flash('error', "Aucun TFE sélectionné.");
|
|
header('Location: ../index.php');
|
|
exit;
|
|
}
|
|
|
|
// Validate all IDs are integers
|
|
$thesisIds = array_map('intval', $thesisIds);
|
|
$thesisIds = array_filter($thesisIds, fn($id) => $id > 0);
|
|
|
|
if (empty($thesisIds)) {
|
|
App::flash('error', "IDs invalides.");
|
|
header('Location: ../index.php');
|
|
exit;
|
|
}
|
|
|
|
// Prepare placeholders for IN clause
|
|
$placeholders = str_repeat('?,', count($thesisIds) - 1) . '?';
|
|
$sql = "UPDATE theses SET is_published = ?, updated_at = CURRENT_TIMESTAMP WHERE id IN ($placeholders)";
|
|
|
|
$stmt = $pdo->prepare($sql);
|
|
$params = array_merge([$isPublished], $thesisIds);
|
|
$stmt->execute($params);
|
|
|
|
$count = count($thesisIds);
|
|
if ($action === 'publish') {
|
|
App::flash('success', "$count TFE(s) publié(s) avec succès!");
|
|
} else {
|
|
App::flash('success', "$count TFE(s) retiré(s) de la publication.");
|
|
}
|
|
|
|
} else {
|
|
// Handle single action
|
|
$thesisId = isset($_POST['thesis_id']) ? intval($_POST['thesis_id']) : 0;
|
|
|
|
if ($thesisId <= 0) {
|
|
App::flash('error', "ID invalide.");
|
|
header('Location: ../index.php');
|
|
exit;
|
|
}
|
|
|
|
$stmt = $pdo->prepare("UPDATE theses SET is_published = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?");
|
|
$stmt->execute([$isPublished, $thesisId]);
|
|
|
|
if ($action === 'publish') {
|
|
App::flash('success', "TFE publié avec succès!");
|
|
} else {
|
|
App::flash('success', "TFE retiré de la publication.");
|
|
}
|
|
}
|
|
|
|
} catch (Exception $e) {
|
|
error_log("Publish error: " . $e->getMessage());
|
|
App::flash('error', "Erreur lors de la modification: " . $e->getMessage());
|
|
}
|
|
|
|
// Regenerate CSRF token
|
|
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
|
|
|
|
header('Location: ../index.php');
|
|
exit;
|