Less home code more F3
This commit is contained in:
julien
@@ -21,8 +21,12 @@ class AuthController extends BaseController
|
||||
$username = trim((string) ($this->f3->get('POST.username') ?? ''));
|
||||
$password = (string) ($this->f3->get('POST.password') ?? '');
|
||||
|
||||
$user = (new User($this->db))->findByUsername($username);
|
||||
if ($user === null || !password_verify($password, $user['password_hash'])) {
|
||||
// User étend DB\SQL\Mapper — inutile de recréer un Mapper générique.
|
||||
// Le 3e argument du constructeur Auth est le callback de comparaison.
|
||||
$user = new User();
|
||||
$auth = new \Auth($user, ['id' => 'username', 'pw' => 'password_hash'], 'password_verify');
|
||||
|
||||
if (!$auth->login($username, $password)) {
|
||||
usleep(1_500_000); // 1,5 s — ralentit le brute-force
|
||||
$this->flash('error', 'Identifiants invalides.');
|
||||
$this->f3->reroute('@login');
|
||||
@@ -30,7 +34,7 @@ class AuthController extends BaseController
|
||||
}
|
||||
|
||||
session_regenerate_id(true); // Prévient la fixation de session.
|
||||
$this->f3->set('SESSION.user_id', $user['id']);
|
||||
$this->f3->set('SESSION.user_id', $user->id);
|
||||
$this->flash('success', 'Connexion réussie.');
|
||||
$this->f3->reroute('@dashboard');
|
||||
}
|
||||
|
||||
@@ -5,53 +5,51 @@ declare(strict_types=1);
|
||||
abstract class BaseController
|
||||
{
|
||||
protected Base $f3;
|
||||
protected DB\SQL $db;
|
||||
|
||||
// false = pas encore résolu, null = résolu sans utilisateur.
|
||||
private array|false|null $resolvedUser = false;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->f3 = Base::instance();
|
||||
$this->db = $this->f3->get('DB');
|
||||
}
|
||||
|
||||
protected function render(string $view, array $data = [], int $cacheTtl = 0): void
|
||||
{
|
||||
$user = $this->currentUser();
|
||||
|
||||
// Les pages publiques restent cacheables avec le TTL demandé.
|
||||
// Si un utilisateur est connecté, le layout dépend de la session
|
||||
// (navigation admin, déconnexion + CSRF) : on force expire(0)
|
||||
// pour ne pas servir ce rendu à d'autres visiteurs.
|
||||
$this->f3->expire($user !== null ? 0 : $cacheTtl);
|
||||
$this->f3->expire($this->currentUser() !== null ? 0 : $cacheTtl);
|
||||
|
||||
$flash = array_key_exists('flash', $data) && is_array($data['flash'])
|
||||
? $data['flash']
|
||||
: $this->pullFlash();
|
||||
|
||||
// currentUser est déjà dans le hive (posé par currentUser()).
|
||||
// Le template y accède directement via {{ @currentUser }}.
|
||||
$this->f3->mset($data + [
|
||||
'view' => $view,
|
||||
'currentUser' => $user,
|
||||
'flash' => $flash,
|
||||
'metaDescription' => null,
|
||||
'adminMode' => false,
|
||||
]);
|
||||
|
||||
// Recopier @CSRF en session pour que verifyCsrf() puisse
|
||||
// vérifier le jeton soumis au POST suivant.
|
||||
$this->f3->copy('CSRF', 'SESSION.csrf');
|
||||
// F3 régénère @CSRF à chaque requête (variable hive uniquement).
|
||||
// On le persiste en session pour que verifyCsrf() puisse comparer
|
||||
// le jeton soumis au POST suivant.
|
||||
$this->f3->copy('CSRF', 'SESSION.csrf_token');
|
||||
echo Template::instance()->render('layout.html');
|
||||
}
|
||||
|
||||
// Résout l'utilisateur courant une seule fois par requête et le
|
||||
// stocke dans le hive — accessible partout, y compris les templates.
|
||||
protected function currentUser(): ?array
|
||||
{
|
||||
if ($this->resolvedUser === false) {
|
||||
if (!$this->f3->exists('currentUser', $user)) {
|
||||
$userId = (int) ($this->f3->get('SESSION.user_id') ?? 0);
|
||||
$this->resolvedUser = $userId > 0 ? (new User($this->db))->findById($userId) : null;
|
||||
$user = $userId > 0 ? (new User())->findById($userId) : null;
|
||||
$this->f3->set('currentUser', $user);
|
||||
}
|
||||
|
||||
return $this->resolvedUser;
|
||||
return $user;
|
||||
}
|
||||
|
||||
protected function requireAuth(): void
|
||||
@@ -64,12 +62,13 @@ abstract class BaseController
|
||||
$this->f3->reroute('@login');
|
||||
}
|
||||
|
||||
// F3 copy() persiste le jeton CSRF en session au rendu (voir render()).
|
||||
// On compare ici le jeton soumis par le formulaire avec celui en session.
|
||||
protected function verifyCsrf(): void
|
||||
{
|
||||
$submitted = (string) ($this->f3->get('POST.csrf_token') ?? '');
|
||||
$expected = (string) ($this->f3->get('SESSION.csrf') ?? '');
|
||||
$expected = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
|
||||
|
||||
// hash_equals : comparaison en temps constant contre les attaques temporelles.
|
||||
if ($submitted !== '' && $expected !== '' && hash_equals($expected, $submitted)) {
|
||||
return;
|
||||
}
|
||||
@@ -77,15 +76,14 @@ abstract class BaseController
|
||||
$this->f3->error(400, 'Jeton CSRF invalide.');
|
||||
}
|
||||
|
||||
// Empile un message flash — permet plusieurs messages par requête.
|
||||
protected function flash(string $type, string $message): void
|
||||
{
|
||||
$this->f3->set('SESSION.flash', ['type' => $type, 'message' => $message]);
|
||||
$this->f3->push('SESSION.flash', ['type' => $type, 'message' => $message]);
|
||||
}
|
||||
|
||||
private function pullFlash(): ?array
|
||||
private function pullFlash(): array
|
||||
{
|
||||
$flash = $this->f3->get('SESSION.flash');
|
||||
$this->f3->clear('SESSION.flash');
|
||||
return is_array($flash) ? $flash : null;
|
||||
return $this->f3->pull('SESSION.flash') ?: [];
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,8 +12,8 @@ class DashboardController extends BaseController
|
||||
public function index(): void
|
||||
{
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
$media = new Media($this->db);
|
||||
$result = (new Post($this->db))->paginateList($page, 24, $media);
|
||||
$media = new Media();
|
||||
$result = (new Post())->paginateList($page, 24, $media);
|
||||
|
||||
$this->render('admin/dashboard.html', [
|
||||
'pageTitle' => 'Tableau de bord',
|
||||
|
||||
@@ -16,7 +16,7 @@ class MediaController extends BaseController
|
||||
public function index(): void
|
||||
{
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
$result = (new Media($this->db))->paginateLibrary($page, self::PER_PAGE);
|
||||
$result = (new Media())->paginateLibrary($page, self::PER_PAGE);
|
||||
|
||||
$this->render('admin/media.html', [
|
||||
'pageTitle' => 'Médiathèque',
|
||||
@@ -50,7 +50,7 @@ class MediaController extends BaseController
|
||||
}
|
||||
|
||||
foreach ($accepted as $destPath) {
|
||||
(new Media($this->db))->upload($destPath, $originalName);
|
||||
(new Media())->upload($destPath, $originalName);
|
||||
}
|
||||
|
||||
$this->flash('success', 'Image ajoutée.');
|
||||
@@ -66,8 +66,9 @@ class MediaController extends BaseController
|
||||
$this->verifyCsrf();
|
||||
|
||||
try {
|
||||
$alt = trim((string) ($this->f3->get('POST.alt') ?? ''));
|
||||
(new Media($this->db))->updateAlt((int) $this->f3->get('PARAMS.id'), $alt);
|
||||
$alt = (string) ($this->f3->get('POST.alt') ?? '');
|
||||
$this->f3->scrub($alt);
|
||||
(new Media())->updateAlt((int) $this->f3->get('PARAMS.id'), trim($alt));
|
||||
$this->flash('success', 'Texte alternatif mis à jour.');
|
||||
} catch (RuntimeException $e) {
|
||||
$this->flash('error', $e->getMessage());
|
||||
@@ -82,14 +83,14 @@ class MediaController extends BaseController
|
||||
|
||||
try {
|
||||
$id = (int) $this->f3->get('PARAMS.id');
|
||||
$media = new Media($this->db);
|
||||
$media = new Media();
|
||||
$item = $media->findById($id);
|
||||
|
||||
if ($item === null) {
|
||||
throw new RuntimeException('Image introuvable.');
|
||||
}
|
||||
|
||||
if ((new Post($this->db))->isMediaUsed($item['id'], $item['file_name'])) {
|
||||
if ((new Post())->isMediaUsed($item['id'], $item['file_name'])) {
|
||||
throw new RuntimeException('Cette image est encore utilisée par un article.');
|
||||
}
|
||||
|
||||
|
||||
@@ -20,11 +20,11 @@ class PostController extends BaseController
|
||||
{
|
||||
$this->verifyCsrf();
|
||||
|
||||
$media = new Media($this->db);
|
||||
$media = new Media();
|
||||
$input = $this->postInput();
|
||||
|
||||
try {
|
||||
(new Post($this->db))->create($input, $media);
|
||||
(new Post())->create($input, $media);
|
||||
$this->flash('success', 'Article créé.');
|
||||
$this->f3->reroute('@dashboard');
|
||||
} catch (RuntimeException $e) {
|
||||
@@ -34,7 +34,7 @@ class PostController extends BaseController
|
||||
|
||||
public function edit(): void
|
||||
{
|
||||
$post = (new Post($this->db))->findForEdit((int) $this->f3->get('PARAMS.id'));
|
||||
$post = (new Post())->findForEdit((int) $this->f3->get('PARAMS.id'));
|
||||
if ($post === null) {
|
||||
$this->f3->error(404, 'Article introuvable.');
|
||||
return;
|
||||
@@ -47,12 +47,12 @@ class PostController extends BaseController
|
||||
{
|
||||
$this->verifyCsrf();
|
||||
|
||||
$media = new Media($this->db);
|
||||
$media = new Media();
|
||||
$id = (int) $this->f3->get('PARAMS.id');
|
||||
$input = $this->postInput() + ['id' => $id];
|
||||
|
||||
try {
|
||||
$updated = (new Post($this->db))->updatePost($id, $input, $media);
|
||||
$updated = (new Post())->updatePost($id, $input, $media);
|
||||
if (!$updated) {
|
||||
$this->f3->error(404, 'Article introuvable.');
|
||||
return;
|
||||
@@ -70,7 +70,7 @@ class PostController extends BaseController
|
||||
$this->verifyCsrf();
|
||||
|
||||
try {
|
||||
(new Post($this->db))->delete((int) $this->f3->get('PARAMS.id'));
|
||||
(new Post())->delete((int) $this->f3->get('PARAMS.id'));
|
||||
$this->flash('success', 'Article supprimé.');
|
||||
} catch (RuntimeException $e) {
|
||||
$this->flash('error', $e->getMessage());
|
||||
@@ -81,7 +81,7 @@ class PostController extends BaseController
|
||||
|
||||
private function renderForm(string $pageTitle, string $formAction, array $post, ?string $error = null, ?Media $media = null): void
|
||||
{
|
||||
$media ??= new Media($this->db);
|
||||
$media ??= new Media();
|
||||
|
||||
$coverPreview = null;
|
||||
if (!empty($post['cover_media_id'])) {
|
||||
@@ -90,7 +90,7 @@ class PostController extends BaseController
|
||||
|
||||
$mediaItems = $media->latest(self::MEDIA_PICKER_LIMIT);
|
||||
$mediaCount = $media->count();
|
||||
$flash = $error !== null ? ['type' => 'error', 'message' => $error] : null;
|
||||
$flash = $error !== null ? [['type' => 'error', 'message' => $error]] : [];
|
||||
|
||||
$this->render('admin/post_form.html', [
|
||||
'pageTitle' => $pageTitle,
|
||||
@@ -109,9 +109,17 @@ class PostController extends BaseController
|
||||
|
||||
private function postInput(): array
|
||||
{
|
||||
$title = (string) ($this->f3->get('POST.title') ?? '');
|
||||
$excerpt = (string) ($this->f3->get('POST.excerpt') ?? '');
|
||||
|
||||
// scrub() supprime les tags HTML/PHP — défense en profondeur
|
||||
// pour les champs rendus en texte brut dans les templates.
|
||||
$this->f3->scrub($title);
|
||||
$this->f3->scrub($excerpt);
|
||||
|
||||
return [
|
||||
'title' => trim((string) ($this->f3->get('POST.title') ?? '')),
|
||||
'excerpt' => trim((string) ($this->f3->get('POST.excerpt') ?? '')),
|
||||
'title' => trim($title),
|
||||
'excerpt' => trim($excerpt),
|
||||
'cover_media_id' => (string) ($this->f3->get('POST.cover_media_id') ?? ''),
|
||||
'body_markdown' => trim((string) ($this->f3->get('POST.body_markdown') ?? '')),
|
||||
];
|
||||
|
||||
@@ -7,8 +7,8 @@ class SiteController extends BaseController
|
||||
public function home(): void
|
||||
{
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
$media = new Media($this->db);
|
||||
$result = (new Post($this->db))->paginateList($page, 12, $media);
|
||||
$media = new Media();
|
||||
$result = (new Post())->paginateList($page, 12, $media);
|
||||
|
||||
$this->render('site/home.html', [
|
||||
'pageTitle' => 'Accueil',
|
||||
@@ -20,8 +20,8 @@ class SiteController extends BaseController
|
||||
|
||||
public function show(): void
|
||||
{
|
||||
$media = new Media($this->db);
|
||||
$post = (new Post($this->db))->findBySlug((string) $this->f3->get('PARAMS.slug'), $media);
|
||||
$media = new Media();
|
||||
$post = (new Post())->findBySlug((string) $this->f3->get('PARAMS.slug'), $media);
|
||||
if ($post === null) {
|
||||
$this->f3->error(404, 'Article introuvable.');
|
||||
return;
|
||||
|
||||
Reference in New Issue
Block a user