xamxam/app/public/admin/actions/language.php

<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
AdminAuth::requireLogin();

if ($_SERVER['REQUEST_METHOD'] !== 'POST'
    || !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    http_response_code(403);
    die("Accès refusé.");
}

require_once __DIR__ . '/../../../src/Database.php';
require_once __DIR__ . '/../../../src/AdminLogger.php';
require_once __DIR__ . '/../../../src/ErrorHandler.php';

try {
    $db     = new Database();
    $logger = AdminLogger::make();
    $action = $_POST['action'] ?? '';

    switch ($action) {
        case 'rename':
            $id      = filter_var($_POST['language_id'] ?? '', FILTER_VALIDATE_INT);
            $newName = trim($_POST['new_name'] ?? '');
            if (!$id || $newName === '') throw new Exception("Paramètres invalides.");
            $db->renameLanguage($id, $newName);
            break;

        case 'merge':
            $sourceId = filter_var($_POST['source_id'] ?? '', FILTER_VALIDATE_INT);
            $targetId = filter_var($_POST['target_id'] ?? '', FILTER_VALIDATE_INT);
            if (!$sourceId || !$targetId) throw new Exception("Paramètres invalides.");
            $db->mergeLanguage($sourceId, $targetId);
            break;

        case 'merge_bulk':
            $targetId = filter_var($_POST['target_id'] ?? '', FILTER_VALIDATE_INT);
            $sourceIds = isset($_POST['selected_langs']) && is_array($_POST['selected_langs'])
                ? array_map('intval', $_POST['selected_langs'])
                : [];
            if (!$targetId || empty($sourceIds)) throw new Exception("Paramètres invalides.");
            $sourceIds = array_values(array_diff($sourceIds, [$targetId]));
            if (empty($sourceIds)) throw new Exception("Aucune source à fusionner.");
            foreach ($sourceIds as $sid) {
                $db->mergeLanguage($sid, $targetId);
            }
            break;

        case 'delete':
            $id = filter_var($_POST['language_id'] ?? '', FILTER_VALIDATE_INT);
            if (!$id) throw new Exception("ID invalide.");
            $db->deleteLanguage($id);
            break;

        case 'delete_bulk':
            $sourceIds = isset($_POST['selected_langs']) && is_array($_POST['selected_langs'])
                ? array_map('intval', $_POST['selected_langs'])
                : [];
            if (empty($sourceIds)) throw new Exception("Aucune langue sélectionnée.");
            foreach ($sourceIds as $sid) {
                $db->deleteLanguage($sid);
            }
            break;

        default:
            throw new Exception("Action inconnue.");
    }

    App::flash('success', "Opération effectuée.");
} catch (Exception $e) {
    ErrorHandler::log('language', $e);
    App::flash('error', ErrorHandler::userMessage($e));
}

$redirect = '/admin/contenus.php';
// Allow the caller to override the redirect (same-origin only, no protocol-relative)
$return = $_POST['return'] ?? '';
if ($return !== '' && str_starts_with($return, '/') && !str_starts_with($return, '//')) {
    $redirect = $return;
}
header('Location: ' . $redirect);
exit();