<?php
// api/add_user.php
header('Content-Type: application/json');
require_once '../db/config.php';
session_start();

// Authentication and Authorization check
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'super_admin') {
    echo json_encode(['success' => false, 'message' => 'Unauthorized']);
    exit;
}

// Basic validation
if (empty($_POST['nama_lengkap']) || empty($_POST['email']) || empty($_POST['password']) || empty($_POST['role'])) {
    echo json_encode(['success' => false, 'message' => 'Please fill all required fields.']);
    exit;
}

$nama_lengkap = $_POST['nama_lengkap'];
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$role = $_POST['role'];
$id_kantor = !empty($_POST['id_kantor']) ? filter_input(INPUT_POST, 'id_kantor', FILTER_SANITIZE_NUMBER_INT) : null;

if (!$email) {
    echo json_encode(['success' => false, 'message' => 'Invalid email format.']);
    exit;
}

// Check for existing email
try {
    $stmt = db()->prepare("SELECT id FROM users WHERE email = ?");
    $stmt->execute([$email]);
    if ($stmt->fetch()) {
        echo json_encode(['success' => false, 'message' => 'Email already exists.']);
        exit;
    }

    $sql = "INSERT INTO users (nama_lengkap, email, password, role, id_kantor) VALUES (?, ?, ?, ?, ?)";
    $stmt = db()->prepare($sql);
    $stmt->execute([$nama_lengkap, $email, $password, $role, $id_kantor]);

    echo json_encode(['success' => true, 'message' => 'User added successfully.']);

} catch (PDOException $e) {
    echo json_encode(['success' => false, 'message' => 'Database error: ' . $e->getMessage()]);
}
?>