<?php
header('Content-Type: application/json');
session_start();
require_once __DIR__ . '/db/config.php';

if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true) {
    echo json_encode(['success' => false, 'error' => 'Authentication required.']);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    echo json_encode(['success' => false, 'error' => 'Invalid request method.']);
    exit;
}

$input = json_decode(file_get_contents('php://input'), true);
if (!$input || !isset($input['action'])) {
    echo json_encode(['success' => false, 'error' => 'Invalid or missing action.']);
    exit;
}

$action = $input['action'];
$user_id = $_SESSION['user_id'];
$role = $_SESSION['role'];

switch ($action) {
    case 'update_task_status':
        handle_update_task_status($input, $user_id, $role);
        break;
    case 'create_task':
        handle_create_task($input, $user_id, $role);
        break;
    case 'create_user':
    case 'update_user':
    case 'delete_user':
        handle_user_management($action, $input, $role);
        break;
    default:
        echo json_encode(['success' => false, 'error' => 'Unknown action.']);
        break;
}

function handle_update_task_status($input, $user_id, $role) {
    if ($role !== 'siswa') {
        echo json_encode(['success' => false, 'error' => 'Permission denied.']);
        exit;
    }
    if (!isset($input['assignment_id']) || !isset($input['status'])) {
        echo json_encode(['success' => false, 'error' => 'Missing parameters.']);
        return;
    }
    try {
        $pdo = db();
        $stmt = $pdo->prepare("UPDATE task_assignments SET status = ?, completed_at = ? WHERE id = ? AND assigned_to_user_id = ?");
        $completed_at = ($input['status'] === 'done') ? date('Y-m-d H:i:s') : null;
        $stmt->execute([$input['status'], $completed_at, $input['assignment_id'], $user_id]);
        echo json_encode(['success' => $stmt->rowCount() > 0]);
    } catch (PDOException $e) {
        echo json_encode(['success' => false, 'error' => 'Database error.']);
    }
}

function handle_create_task($input, $user_id, $role) {
    if ($role !== 'guru') {
        echo json_encode(['success' => false, 'error' => 'Permission denied.']);
        exit;
    }
    if (empty($input['title']) || empty($input['student_ids'])) {
        echo json_encode(['success' => false, 'error' => 'Title and at least one student are required.']);
        return;
    }

    $pdo = db();
    try {
        $pdo->beginTransaction();
        $stmt = $pdo->prepare("INSERT INTO tasks (title, description, created_by_user_id, due_date) VALUES (?, ?, ?, ?)");
        $stmt->execute([$input['title'], $input['description'], $user_id, $input['due_date']]);
        $task_id = $pdo->lastInsertId();
        $stmt = $pdo->prepare("INSERT INTO task_assignments (task_id, assigned_to_user_id) VALUES (?, ?)");
        foreach ($input['student_ids'] as $student_id) {
            $stmt->execute([$task_id, $student_id]);
        }
        $pdo->commit();
        echo json_encode(['success' => true]);
    } catch (PDOException $e) {
        $pdo->rollBack();
        echo json_encode(['success' => false, 'error' => 'Database error during task creation.']);
    }
}

function handle_user_management($action, $input, $role) {
    if ($role !== 'admin') {
        echo json_encode(['success' => false, 'error' => 'Permission denied.']);
        exit;
    }

    $pdo = db();
    try {
        switch ($action) {
            case 'create_user':
                if (empty($input['username']) || empty($input['password']) || empty($input['role'])) {
                    echo json_encode(['success' => false, 'error' => 'Username, password, and role are required.']);
                    return;
                }
                $hashed_password = password_hash($input['password'], PASSWORD_DEFAULT);
                $stmt = $pdo->prepare("INSERT INTO users (username, password, role) VALUES (?, ?, ?)");
                $stmt->execute([$input['username'], $hashed_password, $input['role']]);
                break;

            case 'update_user':
                if (empty($input['user_id']) || empty($input['username']) || empty($input['role'])) {
                    echo json_encode(['success' => false, 'error' => 'User ID, username, and role are required.']);
                    return;
                }
                if (!empty($input['password'])) {
                    $hashed_password = password_hash($input['password'], PASSWORD_DEFAULT);
                    $stmt = $pdo->prepare("UPDATE users SET username = ?, password = ?, role = ? WHERE id = ?");
                    $stmt->execute([$input['username'], $hashed_password, $input['role'], $input['user_id']]);
                } else {
                    $stmt = $pdo->prepare("UPDATE users SET username = ?, role = ? WHERE id = ?");
                    $stmt->execute([$input['username'], $input['role'], $input['user_id']]);
                }
                break;

            case 'delete_user':
                if (empty($input['user_id'])) {
                    echo json_encode(['success' => false, 'error' => 'User ID is required.']);
                    return;
                }
                // Prevent admin from deleting themselves
                if ($input['user_id'] == $_SESSION['user_id']) {
                     echo json_encode(['success' => false, 'error' => 'You cannot delete your own account.']);
                    return;
                }
                $stmt = $pdo->prepare("DELETE FROM users WHERE id = ?");
                $stmt->execute([$input['user_id']]);
                break;
        }
        echo json_encode(['success' => true]);
    } catch (PDOException $e) {
        // Check for duplicate username error
        if ($e->errorInfo[1] == 1062) {
            echo json_encode(['success' => false, 'error' => 'Username already exists.']);
        } else {
            echo json_encode(['success' => false, 'error' => 'Database error: ' . $e->getMessage()]);
        }
    }
}