<?php
session_start();

// Protect the page: check if user is logged in and is a restaurant owner
if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit();
}

require_once 'db/config.php';

// Basic validation
if (empty($_POST['item_name']) || !isset($_POST['item_price']) || empty($_POST['restaurant_id'])) {
    die('Please fill all required fields.');
}

$item_name = $_POST['item_name'];
$item_description = $_POST['item_description'] ?? '';
$item_price = filter_var($_POST['item_price'], FILTER_VALIDATE_FLOAT);
$restaurant_id = $_POST['restaurant_id'];

if ($item_price === false || $item_price < 0) {
    die('Invalid price format.');
}

$pdo = db();

// Verify that the current user owns the restaurant they are trying to add to
$stmt = $pdo->prepare("SELECT id FROM restaurants WHERE id = ? AND user_id = ?");
$stmt->execute([$restaurant_id, $_SESSION['user_id']]);
if (!$stmt->fetch()) {
    die('You do not have permission to add items to this restaurant.');
}

try {
    $stmt_insert = $pdo->prepare(
        "INSERT INTO menu_items (restaurant_id, name, description, price) VALUES (?, ?, ?, ?)"
    );
    $stmt_insert->execute([$restaurant_id, $item_name, $item_description, $item_price]);

    // Redirect back to the dashboard
    header("Location: dashboard.php?item_added=success");
    exit();

} catch (PDOException $e) {
    // In a real app, you would log this error
    die("Error adding menu item: " . $e->getMessage());
}