xamxam/public/admin/actions/visibility.php

<?php
require_once __DIR__ . '/../../../config/bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
AdminAuth::requireLogin();

if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    App::flash('error', "Erreur de sécurité : token invalide.");
    header('Location: /admin/');
    exit;
}

require_once __DIR__ . '/../../../src/Database.php';

$action      = $_POST['action'] ?? '';          // 'set_visibility'
$accessTypeId = filter_var($_POST['access_type_id'] ?? '', FILTER_VALIDATE_INT) ?: null;
$isBulk      = !empty($_POST['bulk']);

$validAccess = [null, 1, 2, 3];
if (!in_array($accessTypeId, $validAccess, true)) {
    App::flash('error', "Valeur de visibilité invalide.");
    header('Location: /admin/');
    exit;
}

try {
    $db = new Database();

    if ($isBulk) {
        $ids = array_filter(array_map('intval', $_POST['selected_theses'] ?? []), fn($id) => $id > 0);
        if (empty($ids)) {
            App::flash('error', "Aucun TFE sélectionné.");
            header('Location: /admin/');
            exit;
        }
        $db->bulkSetVisibility($ids, $accessTypeId);
        App::flash('success', count($ids) . " TFE(s) mis à jour.");
    } else {
        $thesisId = filter_var($_POST['thesis_id'] ?? '', FILTER_VALIDATE_INT);
        if (!$thesisId) {
            App::flash('error', "ID invalide.");
            header('Location: /admin/');
            exit;
        }
        $db->setVisibility($thesisId, $accessTypeId);
        App::flash('success', "Visibilité mise à jour.");
    }
} catch (Exception $e) {
    error_log("visibility.php error: " . $e->getMessage());
    App::flash('error', "Erreur : " . $e->getMessage());
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('Location: /admin/');
exit;