xamxam/app/public/admin/actions/settings.php

<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
AdminAuth::requireLogin();

if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    App::flash('error', "Erreur de sécurité : token invalide.");
    header('Location: /admin/parametres.php');
    exit;
}

require_once APP_ROOT . '/src/Database.php';
require_once APP_ROOT . '/src/SmtpRelay.php';
$db = new Database();

$section = $_POST['section'] ?? '';

if ($section === 'formulaire') {
    $allowed = ['access_type_libre_enabled', 'access_type_interne_enabled', 'access_type_interdit_enabled'];
    foreach ($allowed as $key) {
        $value = isset($_POST[$key]) ? '1' : '0';
        $db->setSetting($key, $value);
    }
    App::flash('success', "Paramètres du formulaire mis à jour.");
} elseif ($section === 'objet_types') {
    $db->setSetting('objet_these_enabled', isset($_POST['objet_these_enabled']) ? '1' : '0');
    $db->setSetting('objet_frart_enabled', isset($_POST['objet_frart_enabled']) ? '1' : '0');
    App::flash('success', "Types de travaux mis à jour.");
} elseif ($section === 'smtp') {
    $smtpData = [
        'host'       => $_POST['smtp_host'] ?? '',
        'port'       => $_POST['smtp_port'] ?? 587,
        'encryption' => $_POST['smtp_encryption'] ?? 'tls',
        'username'   => $_POST['smtp_username'] ?? '',
        'from_email' => $_POST['smtp_from_email'] ?? '',
        'from_name'  => $_POST['smtp_from_name'] ?? 'Post-ERG',
    ];
    // Only update password when user actually typed something.
    $pwd = $_POST['smtp_password'] ?? '';
    if ($pwd !== '') {
        $smtpData['password'] = $pwd;
    }
    SmtpRelay::updateSettings($db, $smtpData);
    App::flash('success', "Paramètres SMTP mis à jour.");
} else {
    App::flash('error', "Section inconnue.");
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('Location: /admin/parametres.php');
exit;