feat: extract MediaController, wire into Dispatcher, delete media.php

app/public/admin/actions/maintenance.php

@@ -0,0 +1,33 @@
+<?php
+require_once __DIR__ . '/../../../bootstrap.php';
+require_once __DIR__ . '/../../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST'
+    || !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    http_response_code(403);
+    die("Accès refusé.");
+}
+
+$action = $_POST['action'] ?? '';
+
+if ($action === 'enable_maintenance') {
+    file_put_contents(MAINTENANCE_FLAG, date('c'));
+    App::flash('success', "Mode maintenance activé.");
+} elseif ($action === 'disable_maintenance') {
+    if (file_exists(MAINTENANCE_FLAG)) {
+        unlink(MAINTENANCE_FLAG);
+    }
+    App::flash('success', "Mode maintenance désactivé.");
+} else {
+    App::flash('error', "Action inconnue.");
+}
+
+$redirect = isset($_POST['redirect']) ? $_POST['redirect'] : '/admin/';
+// Allow only internal admin redirects for safety
+if (!preg_match('#^/admin/#', $redirect)) {
+    $redirect = '/admin/';
+}
+header('Location: ' . $redirect);
+exit();