dasposchi-de/admin/upload-handler.php

<?php
/**
 * AJAX Upload-Endpoint für den WYSIWYG-Editor
 */

require_once __DIR__ . '/../core/auth.php';
require_once __DIR__ . '/../core/upload.php';
auth_start_session();

header('Content-Type: application/json');

if (!auth_is_logged_in()) {
    http_response_code(401);
    echo json_encode(['success' => false, 'error' => 'Nicht angemeldet.']);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['success' => false, 'error' => 'Methode nicht erlaubt.']);
    exit;
}

// CSRF prüfen
$token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!hash_equals(csrf_token(), $token)) {
    http_response_code(403);
    echo json_encode(['success' => false, 'error' => 'Ungültiges Token.']);
    exit;
}

if (empty($_FILES['image'])) {
    echo json_encode(['success' => false, 'error' => 'Keine Datei ausgewählt.']);
    exit;
}

$url = handle_upload($_FILES['image']);
if ($url === false) {
    echo json_encode(['success' => false, 'error' => 'Upload fehlgeschlagen. Erlaubt: JPG, PNG, GIF, WebP (max. 5 MB).']);
    exit;
}

echo json_encode(['success' => true, 'url' => $url]);