<?php
require_once '../db/config.php';

header('Content-Type: application/json');

// Basic validation
if (!isset($_POST['id']) || !isset($_POST['status'])) {
    echo json_encode(['success' => false, 'message' => 'Invalid request.']);
    exit;
}

$id = $_POST['id'];
$status = $_POST['status'];
$allowed_statuses = ['Approved', 'Rejected'];

if (!in_array($status, $allowed_statuses)) {
    echo json_encode(['success' => false, 'message' => 'Invalid status.']);
    exit;
}

try {
    $pdo = db();
    $stmt = $pdo->prepare("UPDATE expense_reports SET status = ? WHERE id = ?");
    $success = $stmt->execute([$status, $id]);

    if ($success) {
        echo json_encode(['success' => true, 'message' => 'Status updated successfully.']);
    } else {
        echo json_encode(['success' => false, 'message' => 'Failed to update status.']);
    }

} catch (PDOException $e) {
    // In a real app, log this error.
    echo json_encode(['success' => false, 'message' => 'Database error: ' . $e->getMessage()]);
}
?>