Less home code more F3
This commit is contained in:
julien
11
app/Controllers/AdminController.php
Normal file
11
app/Controllers/AdminController.php
Normal file
@@ -0,0 +1,11 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
abstract class AdminController extends BaseController
|
||||
{
|
||||
public function beforeRoute(): void
|
||||
{
|
||||
$this->requireAuth();
|
||||
}
|
||||
}
|
||||
@@ -1,30 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
class AssetController
|
||||
{
|
||||
private const ALLOWED = [
|
||||
'app.css' => 'text/css',
|
||||
'app.js' => 'application/javascript',
|
||||
];
|
||||
|
||||
public function serve(): void
|
||||
{
|
||||
$f3 = Base::instance();
|
||||
$file = basename((string) $f3->get('PARAMS.file'));
|
||||
|
||||
if (!array_key_exists($file, self::ALLOWED)) {
|
||||
$f3->error(404);
|
||||
return;
|
||||
}
|
||||
|
||||
$f3->expire(86400);
|
||||
echo Web::instance()->minify(
|
||||
$file,
|
||||
self::ALLOWED[$file],
|
||||
true, // envoie le Content-Type
|
||||
app_root() . '/public/assets/' // répertoire source (hors UI)
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -18,7 +18,7 @@ class AuthController extends BaseController
|
||||
{
|
||||
$this->verifyCsrf();
|
||||
|
||||
$username = trim((string) ($this->f3->get('POST.username') ?? ''));
|
||||
$username = $this->f3->clean((string) ($this->f3->get('POST.username') ?? ''));
|
||||
$password = (string) ($this->f3->get('POST.password') ?? '');
|
||||
|
||||
// User étend DB\SQL\Mapper — inutile de recréer un Mapper générique.
|
||||
@@ -34,6 +34,7 @@ class AuthController extends BaseController
|
||||
}
|
||||
|
||||
session_regenerate_id(true); // Prévient la fixation de session.
|
||||
$this->resetCsrfToken(); // Le nouveau contexte repart avec un jeton dédié.
|
||||
$this->f3->set('SESSION.user_id', $user->id);
|
||||
$this->flash('success', 'Connexion réussie.');
|
||||
$this->f3->reroute('@dashboard');
|
||||
@@ -43,6 +44,7 @@ class AuthController extends BaseController
|
||||
{
|
||||
$this->verifyCsrf();
|
||||
$this->f3->clear('SESSION.user_id');
|
||||
$this->resetCsrfToken();
|
||||
session_regenerate_id(true); // Invalide l'ancien ID de session.
|
||||
$this->flash('success', 'Déconnexion effectuée.');
|
||||
$this->f3->reroute('@login');
|
||||
|
||||
@@ -17,25 +17,26 @@ abstract class BaseController
|
||||
// Si un utilisateur est connecté, le layout dépend de la session
|
||||
// (navigation admin, déconnexion + CSRF) : on force expire(0)
|
||||
// pour ne pas servir ce rendu à d'autres visiteurs.
|
||||
$this->f3->expire($this->currentUser() !== null ? 0 : $cacheTtl);
|
||||
$currentUser = $this->currentUser();
|
||||
$this->f3->expire($currentUser !== null ? 0 : $cacheTtl);
|
||||
|
||||
$flash = array_key_exists('flash', $data) && is_array($data['flash'])
|
||||
? $data['flash']
|
||||
: $this->pullFlash();
|
||||
|
||||
// currentUser est déjà dans le hive (posé par currentUser()).
|
||||
// Le template y accède directement via {{ @currentUser }}.
|
||||
// Jeton CSRF stable par session : plus simple et plus robuste que le
|
||||
// pool précédent, tout en restant compatible multi-onglets.
|
||||
$this->ensureCsrfToken();
|
||||
|
||||
$this->f3->mset($data + [
|
||||
'view' => $view,
|
||||
'flash' => $flash,
|
||||
'metaDescription' => null,
|
||||
'adminMode' => false,
|
||||
'currentUser' => $currentUser,
|
||||
'FORM_CSRF' => (string) $this->f3->get('SESSION.csrf_token'),
|
||||
]);
|
||||
|
||||
// F3 régénère @CSRF à chaque requête (variable hive uniquement).
|
||||
// On le persiste en session pour que verifyCsrf() puisse comparer
|
||||
// le jeton soumis au POST suivant.
|
||||
$this->f3->copy('CSRF', 'SESSION.csrf_token');
|
||||
echo Template::instance()->render('layout.html');
|
||||
}
|
||||
|
||||
@@ -62,12 +63,10 @@ abstract class BaseController
|
||||
$this->f3->reroute('@login');
|
||||
}
|
||||
|
||||
// F3 copy() persiste le jeton CSRF en session au rendu (voir render()).
|
||||
// On compare ici le jeton soumis par le formulaire avec celui en session.
|
||||
protected function verifyCsrf(): void
|
||||
{
|
||||
$submitted = (string) ($this->f3->get('POST.csrf_token') ?? '');
|
||||
$expected = (string) ($this->f3->get('SESSION.csrf_token') ?? '');
|
||||
$submitted = trim((string) ($this->f3->get('POST.csrf_token') ?? ''));
|
||||
$expected = trim((string) ($this->f3->get('SESSION.csrf_token') ?? ''));
|
||||
|
||||
if ($submitted !== '' && $expected !== '' && hash_equals($expected, $submitted)) {
|
||||
return;
|
||||
@@ -82,6 +81,22 @@ abstract class BaseController
|
||||
$this->f3->push('SESSION.flash', ['type' => $type, 'message' => $message]);
|
||||
}
|
||||
|
||||
protected function resetCsrfToken(): void
|
||||
{
|
||||
$this->f3->clear('SESSION.csrf_token');
|
||||
$this->ensureCsrfToken();
|
||||
}
|
||||
|
||||
private function ensureCsrfToken(): void
|
||||
{
|
||||
$token = trim((string) ($this->f3->get('SESSION.csrf_token') ?? ''));
|
||||
if ($token !== '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->f3->set('SESSION.csrf_token', bin2hex(random_bytes(32)));
|
||||
}
|
||||
|
||||
private function pullFlash(): array
|
||||
{
|
||||
return $this->f3->pull('SESSION.flash') ?: [];
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
class DashboardController extends BaseController
|
||||
{
|
||||
public function beforeRoute(): void
|
||||
{
|
||||
$this->requireAuth();
|
||||
}
|
||||
|
||||
public function index(): void
|
||||
{
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
$media = new Media();
|
||||
$result = (new Post())->paginateList($page, 24, $media);
|
||||
|
||||
$this->render('admin/dashboard.html', [
|
||||
'pageTitle' => 'Tableau de bord',
|
||||
'posts' => $result['posts'],
|
||||
'pagination' => $result,
|
||||
'paginationAlias' => 'dashboard',
|
||||
'adminMode' => true,
|
||||
]);
|
||||
}
|
||||
}
|
||||
@@ -2,17 +2,11 @@
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
class MediaController extends BaseController
|
||||
class MediaController extends AdminController
|
||||
{
|
||||
private const UPLOAD_MAX_BYTES = 10 * 1024 * 1024; // 10 Mo
|
||||
private const ACCEPTED_TYPES = ['image/jpeg', 'image/png', 'image/webp'];
|
||||
private const PER_PAGE = 24;
|
||||
|
||||
public function beforeRoute(): void
|
||||
{
|
||||
$this->requireAuth();
|
||||
}
|
||||
|
||||
public function index(): void
|
||||
{
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
@@ -35,23 +29,24 @@ class MediaController extends BaseController
|
||||
$originalName = (string) ($this->f3->get('FILES.image.name') ?? '');
|
||||
|
||||
$received = Web::instance()->receive(
|
||||
// F3 gère le transport et le renommage ; la validation métier
|
||||
// (format réel, dimensions, réencodage) reste centralisée dans Media.
|
||||
fn(array $file): bool => (int) ($file['size'] ?? 0) > 0
|
||||
&& (int) ($file['size'] ?? 0) <= self::UPLOAD_MAX_BYTES
|
||||
&& in_array($file['type'] ?? '', self::ACCEPTED_TYPES, true),
|
||||
&& (int) ($file['size'] ?? 0) <= self::UPLOAD_MAX_BYTES,
|
||||
overwrite: false,
|
||||
slug: true
|
||||
);
|
||||
|
||||
// UPLOADS étant absolu (bootstrap.php), les chemins retournés le sont aussi.
|
||||
// Le formulaire n'envoie qu'un seul fichier : on garde le premier
|
||||
// chemin accepté retourné par Web::receive().
|
||||
$accepted = array_keys(array_filter($received));
|
||||
$destPath = $accepted[0] ?? null;
|
||||
|
||||
if ($accepted === []) {
|
||||
if ($destPath === null) {
|
||||
throw new RuntimeException('Choisis une image valide à envoyer (JPG, PNG, WebP ≤ ' . (int) (self::UPLOAD_MAX_BYTES / 1024 / 1024) . ' Mo).');
|
||||
}
|
||||
|
||||
foreach ($accepted as $destPath) {
|
||||
(new Media())->upload($destPath, $originalName);
|
||||
}
|
||||
(new Media())->upload($destPath, $originalName);
|
||||
|
||||
$this->flash('success', 'Image ajoutée.');
|
||||
} catch (RuntimeException $e) {
|
||||
@@ -66,9 +61,8 @@ class MediaController extends BaseController
|
||||
$this->verifyCsrf();
|
||||
|
||||
try {
|
||||
$alt = (string) ($this->f3->get('POST.alt') ?? '');
|
||||
$this->f3->scrub($alt);
|
||||
(new Media())->updateAlt((int) $this->f3->get('PARAMS.id'), trim($alt));
|
||||
$alt = $this->f3->clean((string) ($this->f3->get('POST.alt') ?? ''));
|
||||
(new Media())->updateAlt((int) $this->f3->get('PARAMS.id'), $alt);
|
||||
$this->flash('success', 'Texte alternatif mis à jour.');
|
||||
} catch (RuntimeException $e) {
|
||||
$this->flash('error', $e->getMessage());
|
||||
|
||||
@@ -2,13 +2,24 @@
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
class PostController extends BaseController
|
||||
class PostController extends AdminController
|
||||
{
|
||||
private const PER_PAGE = 12;
|
||||
private const MEDIA_PICKER_LIMIT = 60;
|
||||
|
||||
public function beforeRoute(): void
|
||||
public function index(): void
|
||||
{
|
||||
$this->requireAuth();
|
||||
$page = max(1, (int) ($this->f3->get('GET.page') ?? 1));
|
||||
$media = new Media();
|
||||
$result = (new Post())->paginateList($page, self::PER_PAGE, $media);
|
||||
|
||||
$this->render('admin/dashboard.html', [
|
||||
'pageTitle' => 'Tableau de bord',
|
||||
'posts' => $result['posts'],
|
||||
'pagination' => $result,
|
||||
'paginationAlias' => 'dashboard',
|
||||
'adminMode' => true,
|
||||
]);
|
||||
}
|
||||
|
||||
public function create(): void
|
||||
@@ -109,17 +120,9 @@ class PostController extends BaseController
|
||||
|
||||
private function postInput(): array
|
||||
{
|
||||
$title = (string) ($this->f3->get('POST.title') ?? '');
|
||||
$excerpt = (string) ($this->f3->get('POST.excerpt') ?? '');
|
||||
|
||||
// scrub() supprime les tags HTML/PHP — défense en profondeur
|
||||
// pour les champs rendus en texte brut dans les templates.
|
||||
$this->f3->scrub($title);
|
||||
$this->f3->scrub($excerpt);
|
||||
|
||||
return [
|
||||
'title' => trim($title),
|
||||
'excerpt' => trim($excerpt),
|
||||
'title' => $this->f3->clean((string) ($this->f3->get('POST.title') ?? '')),
|
||||
'excerpt' => $this->f3->clean((string) ($this->f3->get('POST.excerpt') ?? '')),
|
||||
'cover_media_id' => (string) ($this->f3->get('POST.cover_media_id') ?? ''),
|
||||
'body_markdown' => trim((string) ($this->f3->get('POST.body_markdown') ?? '')),
|
||||
];
|
||||
|
||||
Reference in New Issue
Block a user