feat: extract MediaController, wire into Dispatcher, delete media.php

app/public/admin/README.md

@@ -0,0 +1,145 @@
+# Admin Panel Structure
+
+This directory contains the admin panel for managing Post-ERG thesis database.
+
+## Directory Structure
+
+```
+public/admin/
+├── index.php          # List all theses (main page)
+├── add.php            # Add new thesis form
+├── edit.php           # Edit existing thesis form
+├── import.php         # CSV import form
+├── thanks.php         # Thank you page after submission
+├── actions/           # Backend processing scripts (no HTML output)
+│   ├── formulaire.php # Process thesis submission from add.php
+│   └── publish.php    # Toggle publish/unpublish status
+├── inc/               # Shared templates
+│   ├── head.php       # HTML head, CSS, navigation
+│   └── footer.php     # HTML footer
+└── data/              # Upload directory (not in git)
+    ├── theses/        # PDF files
+    └── covers/        # Cover images
+```
+
+## File Types
+
+### User-Facing Templates (Root Directory)
+Files that display HTML to users:
+- **index.php** - Lists all theses with filters and bulk actions
+- **add.php** - Form to add a new thesis
+- **edit.php** - Form to edit an existing thesis
+- **import.php** - CSV import interface
+- **thanks.php** - Success confirmation page
+
+### Backend Scripts (actions/)
+Files that process forms and redirect (no HTML output):
+- **formulaire.php** - Processes thesis submission from add.php
+- **publish.php** - Handles publish/unpublish actions
+
+### Shared Templates (inc/)
+Reusable HTML components:
+- **head.php** - HTML head, CSS links, navigation menu
+- **footer.php** - HTML footer
+
+## Workflow
+
+### Adding a Thesis
+1. User visits `add.php` (displays form)
+2. User submits form to `actions/formulaire.php` (processes data)
+3. On success, redirects to `thanks.php?id=123`
+4. On error, redirects back to `add.php` with error message
+
+### Publishing/Unpublishing
+1. User clicks publish/unpublish button in `index.php`
+2. Form submits to `actions/publish.php` (processes action)
+3. Redirects back to `index.php` with success/error message
+
+## Security
+
+- All pages require HTTP Basic Auth (configured in nginx) — primary layer
+- All pages require PHP session auth (`AdminAuth::requireLogin()`) — defence-in-depth
+- CSRF tokens protect all forms
+- File uploads validated and sanitized
+- Database queries use prepared statements
+- Upload directory outside public/ in production
+
+See `nginx/PHP_AUTH_LAYER.md` for details on the dual-auth architecture.
+
+## Templates
+
+The `inc/` folder contains shared templates:
+- `head.php` - Included at the top of each page (DOCTYPE, CSS, nav)
+- `footer.php` - Included at the bottom of each page (closing tags)
+
+Usage:
+```php
+<?php include "inc/head.php" ?>
+<!-- Page content here -->
+<?php include "inc/footer.php" ?>
+```
+
+## URL Structure
+
+- `/admin/` - List theses (index.php)
+- `/admin/add.php` - Add new thesis
+- `/admin/edit.php?id=123` - Edit thesis #123
+- `/admin/import.php` - Import CSV
+- `/admin/thanks.php?id=123` - Thank you page
+
+Backend actions (not directly accessed):
+- `/admin/actions/formulaire.php` - Form processor
+- `/admin/actions/publish.php` - Publish toggle
+
+## Development
+
+### Adding a New Page
+
+1. Create the template in `/admin/yourpage.php`:
+```php
+<?php
+require_once __DIR__ . "/../../config/bootstrap.php";
+require_once __DIR__ . '/../../lib/AdminAuth.php';
+AdminAuth::requireLogin();
+$pageTitle = "Your Page Title";
+?>
+<?php include "inc/head.php" ?>
+
+<!-- Your content here -->
+
+<?php include "inc/footer.php" ?>
+```
+
+2. Add navigation link in `inc/head.php` if needed
+
+### Adding a New Action
+
+1. Create the script in `/admin/actions/youraction.php`:
+```php
+<?php
+require_once __DIR__ . "/../../config/bootstrap.php";
+require_once __DIR__ . '/../../lib/AdminAuth.php';
+AdminAuth::requireLogin();
+
+// Verify CSRF token
+if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    $_SESSION['error'] = "Security error";
+    header('Location: ../index.php');
+    exit;
+}
+
+// Process action...
+
+// Redirect
+header('Location: ../yourpage.php');
+exit;
+```
+
+2. Create form in template that posts to `actions/youraction.php`
+
+## Notes
+
+- Bootstrap path from actions/: `__DIR__ . "/../../config/bootstrap.php"`
+- Redirects from actions/: use `../` prefix (e.g., `../index.php`)
+- Database class: `require_once __DIR__ . '/../../lib/Database.php'`
+- All forms must include CSRF token from `$_SESSION['csrf_token']`