Rosary/api/delete_audio.php

<?php
/**
 * api/delete_audio.php
 * POST: delete the audio file for a specific prayer key.
 * Admin only.
 *
 * POST params:
 *   key — audio key string
 *
 * Returns JSON: {"deleted": true|false}
 */
require_once __DIR__ . '/../config/db.php';
require_once __DIR__ . '/../includes/auth.php';

header('Content-Type: application/json');
require_auth();

if (!has_role('admin')) {
    http_response_code(403);
    echo json_encode(['error' => 'Permission denied']);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['error' => 'Method not allowed']);
    exit;
}

$key = trim($_POST['key'] ?? '');
if (!preg_match('/^[a-z0-9_]+$/', $key) || strlen($key) > 100) {
    http_response_code(400);
    echo json_encode(['error' => 'Invalid audio key']);
    exit;
}

$audio_dir = UPLOADS_DIR . 'audio/';
$deleted   = false;

foreach (glob($audio_dir . $key . '.*') ?: [] as $file) {
    unlink($file);
    $deleted = true;
}

echo json_encode(['deleted' => $deleted]);