release(v3.2.0): share pages revamp + portals browse/download-all + Pro branding upgrades

- shares: modern Dropbox-like share UI (file + folder), safe inline previews, and optional subfolder access
- portals: subfolder browsing + pagination, list/gallery toggle, download-all zip, resumable uploads, submission IDs
- branding (Pro): meta description + favicons + theme colors + login/app backgrounds + share/portal branding
- security: sanitize footer HTML; tighten shared uploads with per-share upload token; validate share/portal paths

Author: error311

CHANGELOG.md

@@ -1,5 +1,100 @@
 # Changelog
 
+## Changes 01/28/2026 (v3.2.0)
+
+`release(v3.2.0): share pages revamp + portals browse/download-all + Pro branding upgrades`
+
+**Commit message**  
+
+```text
+release(v3.2.0): share pages revamp + portals browse/download-all + Pro branding upgrades
+
+- shares: modern Dropbox-like share UI (file + folder), safe inline previews, and optional subfolder access
+- portals: subfolder browsing + pagination, list/gallery toggle, download-all zip, resumable uploads, submission IDs
+- branding (Pro): meta description + favicons + theme colors + login/app backgrounds + share/portal branding
+- security: sanitize footer HTML; tighten shared uploads with per-share upload token; validate share/portal paths
+```
+
+**Added**  
+
+- **Shares (Core)**
+  - **Folder shares** can optionally **include subfolders** (`allowSubfolders`) when creating the link.
+  - Shared folder browsing supports `path=` for subfolder navigation (when enabled).
+  - New public endpoint: **`GET /api/folder/downloadSharedFolder.php`** to download a shared folder (or subfolder) as a ZIP **(local storage only)**.
+  - Shared downloads support `inline=1` for safe types (images/video/audio/pdf) and **never inline SVG**.
+
+- **Share UI revamp (Core)**
+  - New modern share layout + styles in `public/css/share.css` (folder + file share views).
+  - Shared folder now supports:
+    - **Download all**
+    - **List/Gallery toggle**
+    - **Search within the shared folder**
+    - **Breadcrumbs** when subfolder browsing is enabled
+    - Optional XHR upload progress UI for shared-folder uploads
+  - File shares now generate a link that defaults to a landing page (`&view=1`) with metadata + preview.
+
+- **Portals (Pro)**
+  - New API: **`GET /api/pro/portals/listEntries.php`** (folders + files, pagination, optional “all files” mode).
+  - Portal UI now supports:
+    - **Subfolder browsing** (optional, per portal) using `?path=...`
+    - **Breadcrumbs + pagination**
+    - **List/Gallery toggle**
+    - **Download all** (queues a ZIP via `/api/file/downloadZip.php`)
+    - **Resumable uploads** for portals (with standard upload fallback)
+    - Optional **Submission ID** tracking + show in thank-you screen
+    - **5 New preset templates**
+
+- **Branding upgrades (Pro)**
+  - Admin branding now supports:
+    - **Meta description**
+    - **Favicons** (SVG/PNG/ICO), **Apple touch icon**, **Safari pinned mask icon + color**
+    - **Theme color** (light/dark) for browser UI
+    - **Login background** (light/dark) and **App background** (light/dark)
+    - Optional **login tagline**
+  - New `public/js/shareBranding.js` applies Pro branding to share pages (logo, accents, footer, icons, theme-color).
+  - New `public/index.php` can serve `index.html` with branding meta/favicons applied (via `.htaccess` DirectoryIndex).
+
+**Changed**  
+
+- **Shared folder data model**
+  - Shared folder listing now returns a unified `entries[]` array (folders + files), plus `shareRoot`, `path`, and `allowSubfolders`.
+  - Shared file download supports `path=subfolder/file.ext` (with subfolder gating).
+
+- **Shared uploads hardening**
+  - Shared-folder upload POST now supports `pass` + `path` and includes a per-share **`share_upload_token`** guard (HMAC) to reduce abuse.
+
+- **Portal uploads enforcement**
+  - Portal uploads are enforced server-side:
+    - Must stay within the portal’s configured folder
+    - Subfolder uploads are blocked unless the portal enables them
+    - Portal sourceId must match (when configured)
+
+- **Portals admin UX**
+  - Adds portal theme presets (new industries), per-portal theme override fields, and portal logo field.
+  - Adds “portal user” controls (optional per-portal user + password, preset modes).
+
+- **Branding plumbing**
+  - `main.js` now applies branding meta + icons + theme color + backgrounds, and **sanitizes footer HTML** before injecting.
+
+**Fixed**  
+
+- Shared folder password form and file share password form now use the unified share UI and preserve `path` when prompting.
+- `downloadZip` now supports passing an explicit `sourceId` (local sources) by running inside a source context.
+- Various base-path issues resolved for share/portal JS/CSS includes by using `withBase()` and versioned assets.
+
+**Security**  
+
+- Share and portal subpaths are normalized/validated (no `..`, invalid segments).
+- Shared downloads: SVG/SVGZ are always attachment-only (defense in depth).
+- Footer branding HTML is sanitized (allowlist) before inserting into DOM.
+
+**Notes**  
+
+- `downloadSharedFolder.php` only supports **local** storage; remote adapters return a clear error.
+- Portals “download all” depends on ZIP being enabled for the account + server having the needed tooling for ZIP/7z where applicable.
+
+---
+
 ## Changes 01/24/2026 (v3.1.7)
 
 `release(v3.1.7): fix table header select-all checkbox + Pro bundle install progress UI (closes #99)`

public/.htaccess

@@ -2,7 +2,7 @@
 # FileRise portable .htaccess
 # --------------------------------
 Options -Indexes -Multiviews
-DirectoryIndex index.html
+DirectoryIndex index.php index.html
 
 # Allow PATH_INFO for routes like /webdav.php/foo/bar
 AcceptPathInfo On
@@ -37,6 +37,7 @@ RewriteRule ^portal/([A-Za-z0-9_-]+)$ portal.html?slug=$1 [L,QSA]
 RewriteCond %{REQUEST_URI} !^/api/ [NC]
 RewriteCond %{REQUEST_URI} !^/api\.php$ [NC]
 RewriteCond %{REQUEST_URI} !^/webdav\.php$ [NC]
+RewriteCond %{REQUEST_URI} !^/index\.php$ [NC]
 RewriteRule \.php$ - [F,L]
 
 # 3) Never redirect local/dev hosts

public/api/file/share.php

@@ -9,6 +9,8 @@
  *   tags={"Shares"},
  *   @OA\Parameter(name="token", in="query", required=true, @OA\Schema(type="string"), description="Share token"),
  *   @OA\Parameter(name="pass", in="query", required=false, @OA\Schema(type="string"), description="Share password"),
+ *   @OA\Parameter(name="view", in="query", required=false, @OA\Schema(type="integer", enum={0,1}), description="Render share landing page when set to 1"),
+ *   @OA\Parameter(name="inline", in="query", required=false, @OA\Schema(type="integer", enum={0,1}), description="Allow inline rendering for safe types"),
  *   @OA\Response(
  *     response=200,
  *     description="File stream or password prompt",

public/api/folder/createShareFolderLink.php

@@ -18,7 +18,8 @@
  *       @OA\Property(property="expirationValue", type="integer", example=60),
  *       @OA\Property(property="expirationUnit", type="string", enum={"seconds","minutes","hours","days"}, example="minutes"),
  *       @OA\Property(property="password", type="string", example=""),
- *       @OA\Property(property="allowUpload", type="integer", enum={0,1}, example=0)
+ *       @OA\Property(property="allowUpload", type="integer", enum={0,1}, example=0),
+ *       @OA\Property(property="allowSubfolders", type="integer", enum={0,1}, example=0)
  *     )
  *   ),
  *   @OA\Response(
@@ -27,7 +28,7 @@
  *     @OA\JsonContent(
  *       type="object",
  *       @OA\Property(property="token", type="string", example="sf_abc123"),
- *       @OA\Property(property="url", type="string", example="/api/folder/shareFolder.php?token=sf_abc123"),
+ *       @OA\Property(property="link", type="string", example="/api/folder/shareFolder.php?token=sf_abc123"),
  *       @OA\Property(property="expires", type="integer", example=1700000000)
  *     )
  *   ),
@@ -41,4 +42,4 @@
 require_once PROJECT_ROOT . '/src/controllers/FolderController.php';
 
 $folderController = new FolderController();
-$folderController->createShareFolderLink();
+$folderController->createShareFolderLink();

public/api/folder/downloadSharedFile.php

@@ -9,7 +9,10 @@
  *   operationId="downloadSharedFile",
  *   tags={"Shared Folders"},
  *   @OA\Parameter(name="token", in="query", required=true, @OA\Schema(type="string")),
- *   @OA\Parameter(name="file", in="query", required=true, @OA\Schema(type="string"), example="report.pdf"),
+ *   @OA\Parameter(name="pass", in="query", required=false, @OA\Schema(type="string")),
+ *   @OA\Parameter(name="file", in="query", required=false, @OA\Schema(type="string"), example="report.pdf"),
+ *   @OA\Parameter(name="path", in="query", required=false, @OA\Schema(type="string"), example="subfolder/report.pdf"),
+ *   @OA\Parameter(name="inline", in="query", required=false, @OA\Schema(type="integer", enum={0,1}), description="Allow inline rendering for safe types"),
  *   @OA\Response(
  *     response=200,
  *     description="Binary file",
@@ -21,6 +24,7 @@
  *     }
  *   ),
  *   @OA\Response(response=400, description="Invalid input"),
+ *   @OA\Response(response=403, description="Password required"),
  *   @OA\Response(response=404, description="Not found")
  * )
  */
@@ -29,4 +33,4 @@
 require_once PROJECT_ROOT . '/src/controllers/FolderController.php';
 
 $folderController = new FolderController();
-$folderController->downloadSharedFile();
+$folderController->downloadSharedFile();

public/api/folder/downloadSharedFolder.php

@@ -0,0 +1,34 @@
+<?php
+// public/api/folder/downloadSharedFolder.php
+
+/**
+ * @OA\Get(
+ *   path="/api/folder/downloadSharedFolder.php",
+ *   summary="Download a shared folder as a ZIP",
+ *   description="Public endpoint; validates token/path and streams a ZIP archive.",
+ *   operationId="downloadSharedFolder",
+ *   tags={"Shared Folders"},
+ *   @OA\Parameter(name="token", in="query", required=true, @OA\Schema(type="string")),
+ *   @OA\Parameter(name="pass", in="query", required=false, @OA\Schema(type="string")),
+ *   @OA\Parameter(name="path", in="query", required=false, @OA\Schema(type="string"), description="Subfolder path within the shared folder"),
+ *   @OA\Response(
+ *     response=200,
+ *     description="ZIP archive",
+ *     content={
+ *       "application/zip": @OA\MediaType(
+ *         mediaType="application/zip",
+ *         @OA\Schema(type="string", format="binary")
+ *       )
+ *     }
+ *   ),
+ *   @OA\Response(response=400, description="Invalid input"),
+ *   @OA\Response(response=403, description="Password required"),
+ *   @OA\Response(response=404, description="Not found")
+ * )
+ */
+
+require_once __DIR__ . '/../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/FolderController.php';
+
+$folderController = new FolderController();
+$folderController->downloadSharedFolder();

public/api/folder/shareFolder.php

@@ -10,6 +10,7 @@
  *   tags={"Shared Folders"},
  *   @OA\Parameter(name="token", in="query", required=true, @OA\Schema(type="string")),
  *   @OA\Parameter(name="pass", in="query", required=false, @OA\Schema(type="string")),
+ *   @OA\Parameter(name="path", in="query", required=false, @OA\Schema(type="string"), description="Subfolder path within the shared folder"),
  *   @OA\Parameter(name="page", in="query", required=false, @OA\Schema(type="integer", minimum=1), example=1),
  *   @OA\Response(
  *     response=200,
@@ -25,4 +26,4 @@
 require_once PROJECT_ROOT . '/src/controllers/FolderController.php';
 
 $folderController = new FolderController();
-$folderController->shareFolder();
+$folderController->shareFolder();

public/api/folder/uploadToSharedFolder.php

@@ -17,6 +17,8 @@
  *           type="object",
  *           required={"token","fileToUpload"},
  *           @OA\Property(property="token", type="string", description="Share token"),
+ *           @OA\Property(property="pass", type="string", description="Share password (if required)"),
+ *           @OA\Property(property="path", type="string", description="Optional subfolder path within the shared folder"),
  *           @OA\Property(property="fileToUpload", type="string", format="binary", description="File to upload")
  *         )
  *       )
@@ -32,4 +34,4 @@
 require_once PROJECT_ROOT . '/src/controllers/FolderController.php';
 
 $folderController = new FolderController();
-$folderController->uploadToSharedFolder();
+$folderController->uploadToSharedFolder();

public/api/pro/portals/listEntries.php

@@ -0,0 +1,53 @@
+<?php
+// public/api/pro/portals/listEntries.php
+/**
+ * List portal entries (folders + files) with pagination.
+ */
+declare(strict_types=1);
+
+header('Content-Type: application/json; charset=utf-8');
+
+require_once __DIR__ . '/../../../../config/config.php';
+require_once PROJECT_ROOT . '/src/controllers/AdminController.php';
+require_once PROJECT_ROOT . '/src/controllers/PortalController.php';
+
+try {
+    if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'GET') {
+        http_response_code(405);
+        echo json_encode(['success' => false, 'error' => 'Method not allowed']);
+        return;
+    }
+
+    if (session_status() !== PHP_SESSION_ACTIVE) {
+        session_start();
+    }
+
+    AdminController::requireAuth();
+
+    $slug = isset($_GET['slug']) ? trim((string)$_GET['slug']) : '';
+    $path = isset($_GET['path']) ? (string)$_GET['path'] : '';
+    $page = isset($_GET['page']) ? (int)$_GET['page'] : 1;
+    $perPage = isset($_GET['perPage']) ? (int)$_GET['perPage'] : 50;
+    $all = !empty($_GET['all']);
+
+    $data = PortalController::listPortalEntries($slug, $path, $page, $perPage, $all);
+    if (isset($data['error'])) {
+        http_response_code((int)($data['status'] ?? 400));
+        echo json_encode([
+            'success' => false,
+            'error'   => $data['error'],
+        ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+        return;
+    }
+
+    echo json_encode(
+        ['success' => true] + $data,
+        JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES
+    );
+} catch (Throwable $e) {
+    http_response_code(500);
+    echo json_encode([
+        'success' => false,
+        'error'   => $e->getMessage(),
+    ], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+}

public/api/pro/portals/save.php

@@ -61,9 +61,14 @@
     }
 
     $ctrl = new AdminController();
-    $ctrl->saveProPortals($portals);
+    $result = $ctrl->saveProPortals($portals);
 
-    echo json_encode(['success' => true], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+    $payload = ['success' => true];
+    if (is_array($result) && !empty($result['portalUsers'])) {
+        $payload['portalUsers'] = $result['portalUsers'];
+    }
+
+    echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
 } catch (Throwable $e) {
     $code = $e instanceof InvalidArgumentException ? 400 : 500;
     http_response_code($code);