feat: extract MediaController, wire into Dispatcher, delete media.php

app/public/admin/actions/visibility.php

@@ -0,0 +1,55 @@
+<?php
+require_once __DIR__ . '/../../../bootstrap.php';
+require_once __DIR__ . '/../../../src/AdminAuth.php';
+AdminAuth::requireLogin();
+
+if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
+    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    App::flash('error', "Erreur de sécurité : token invalide.");
+    header('Location: /admin/');
+    exit;
+}
+
+require_once __DIR__ . '/../../../src/Database.php';
+
+$action      = $_POST['action'] ?? '';          // 'set_visibility'
+$accessTypeId = filter_var($_POST['access_type_id'] ?? '', FILTER_VALIDATE_INT) ?: null;
+$isBulk      = !empty($_POST['bulk']);
+
+$validAccess = [null, 1, 2, 3];
+if (!in_array($accessTypeId, $validAccess, true)) {
+    App::flash('error', "Valeur de visibilité invalide.");
+    header('Location: /admin/');
+    exit;
+}
+
+try {
+    $db = new Database();
+
+    if ($isBulk) {
+        $ids = array_filter(array_map('intval', $_POST['selected_theses'] ?? []), fn($id) => $id > 0);
+        if (empty($ids)) {
+            App::flash('error', "Aucun TFE sélectionné.");
+            header('Location: /admin/');
+            exit;
+        }
+        $db->bulkSetVisibility($ids, $accessTypeId);
+        App::flash('success', count($ids) . " TFE(s) mis à jour.");
+    } else {
+        $thesisId = filter_var($_POST['thesis_id'] ?? '', FILTER_VALIDATE_INT);
+        if (!$thesisId) {
+            App::flash('error', "ID invalide.");
+            header('Location: /admin/');
+            exit;
+        }
+        $db->setVisibility($thesisId, $accessTypeId);
+        App::flash('success', "Visibilité mise à jour.");
+    }
+} catch (Exception $e) {
+    error_log("visibility.php error: " . $e->getMessage());
+    App::flash('error', "Erreur : " . $e->getMessage());
+}
+
+$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+header('Location: /admin/');
+exit;