xamxam/public/admin/actions/maintenance.php

<?php
require_once __DIR__ . '/../../../config/bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
AdminAuth::requireLogin();

if ($_SERVER['REQUEST_METHOD'] !== 'POST'
    || !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    http_response_code(403);
    die("Accès refusé.");
}

$action = $_POST['action'] ?? '';

if ($action === 'enable_maintenance') {
    file_put_contents(MAINTENANCE_FLAG, date('c'));
    App::flash('success', "Mode maintenance activé.");
} elseif ($action === 'disable_maintenance') {
    if (file_exists(MAINTENANCE_FLAG)) {
        unlink(MAINTENANCE_FLAG);
    }
    App::flash('success', "Mode maintenance désactivé.");
} else {
    App::flash('error', "Action inconnue.");
}

header('Location: /admin/');
exit();