Initial commit — Rosary Presenter App

Full source for loveandrosary.com: slide-based Rosary/novena/Divine Mercy
Chaplet presentation tool with multi-user roles, SVG bead ring, audio uploads,
donate strip, and public session profiles.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/toggle_pin.php

@@ -0,0 +1,64 @@
+<?php
+/**
+ * api/toggle_pin.php
+ * POST: toggle is_pinned on a session or novena_group.
+ * Admin / superadmin only.
+ *
+ * POST params:
+ *   type  — 'session' | 'novena'
+ *   id    — integer row ID
+ *
+ * Returns JSON: {"pinned": true|false}
+ */
+require_once __DIR__ . '/../config/db.php';
+require_once __DIR__ . '/../includes/auth.php';
+
+header('Content-Type: application/json');
+
+_auth_start();
+
+if (!has_role('admin')) {
+    http_response_code(403);
+    echo json_encode(['error' => 'Permission denied']);
+    exit;
+}
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    http_response_code(405);
+    echo json_encode(['error' => 'Method not allowed']);
+    exit;
+}
+
+$type = trim($_POST['type'] ?? '');
+$id   = (int)($_POST['id']   ?? 0);
+
+if (!in_array($type, ['session', 'novena'], true) || $id < 1) {
+    http_response_code(400);
+    echo json_encode(['error' => 'Invalid parameters']);
+    exit;
+}
+
+try {
+    $pdo   = get_pdo();
+    $table = ($type === 'session') ? 'sessions' : 'novena_groups';
+
+    $sel = $pdo->prepare("SELECT is_pinned FROM {$table} WHERE id = ?");
+    $sel->execute([$id]);
+    $row = $sel->fetch();
+
+    if (!$row) {
+        http_response_code(404);
+        echo json_encode(['error' => 'Record not found']);
+        exit;
+    }
+
+    $new = $row['is_pinned'] ? 0 : 1;
+    $upd = $pdo->prepare("UPDATE {$table} SET is_pinned = ? WHERE id = ?");
+    $upd->execute([$new, $id]);
+
+    echo json_encode(['pinned' => (bool)$new]);
+
+} catch (PDOException $e) {
+    http_response_code(500);
+    echo json_encode(['error' => 'Database error']);
+}