<?php
session_start();
require_once 'db/config.php';
require_once 'auth-check.php';
require_once 'auth-helpers.php';

// Only Super Admins can manage settings
$is_super_admin = ($_SESSION['user_role_id'] == 1);

if (!$is_super_admin) {
    // Redirect non-super-admins or users who can't update permissions
    if (!can($_SESSION['user_role_id'], 'permission', 'update')) {
        header('Location: index.php?error=access_denied');
        exit;
    }
}

$success_message = '';
$error_message = '';
$pdo = db();

// Handle Google Settings form submission
if ($is_super_admin && $_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['save_google_settings'])) {
    $google_client_id = $_POST['google_client_id'] ?? '';
    $google_client_secret = $_POST['google_client_secret'] ?? '';

    try {
        $stmt = $pdo->prepare('UPDATE settings SET setting_value = ? WHERE setting_key = ?');
        $stmt->execute([$google_client_id, 'google_client_id']);
        $stmt->execute([$google_client_secret, 'google_client_secret']);
        $success_message = 'Google settings updated successfully!';
    } catch (PDOException $e) {
        $error_message = 'Database error updating Google settings: ' . $e->getMessage();
    }
}

// Handle Permissions form submission
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['save_permissions'])) {
    if (!can($_SESSION['user_role_id'], 'permission', 'update')) {
        header('Location: index.php?error=access_denied');
        exit;
    }
    try {
        $pdo->beginTransaction();

        $permissions = $_POST['permissions'] ?? [];
        $stmt_roles = $pdo->query('SELECT id FROM roles');
        $db_roles_ids = $stmt_roles->fetchAll(PDO::FETCH_COLUMN);

        $delete_stmt = $pdo->prepare('DELETE FROM role_permissions WHERE role_id = ?');
        $insert_stmt = $pdo->prepare('INSERT INTO role_permissions (role_id, resource, action, fields) VALUES (?, ?, ?, ?)');

        foreach ($db_roles_ids as $role_id) {
            $delete_stmt->execute([$role_id]);
            if (isset($permissions[$role_id])) {
                foreach (['asset', 'user', 'category', 'location', 'role', 'permission'] as $resource) {
                    foreach (['create', 'read', 'update', 'delete'] as $action) {
                        if (isset($permissions[$role_id][$resource][$action]['enabled']) && $permissions[$role_id][$resource][$action]['enabled'] == '1') {
                            $fields = (in_array($action, ['read', 'update', 'create'])) ? ($permissions[$role_id][$resource][$action]['fields'] ?? '*') : null;
                            if (empty($fields)) $fields = '*';
                            $insert_stmt->execute([$role_id, $resource, $action, $fields]);
                        }
                    }
                }
            }
        }

        $pdo->commit();
        $success_message = 'Permissions updated successfully!';

    } catch (PDOException $e) {
        if ($pdo->inTransaction()) $pdo->rollBack();
        $error_message = 'Database error: ' . $e->getMessage();
    }
}

// Fetch data for display
$google_settings = [];
if ($is_super_admin) {
    try {
        $stmt = $pdo->query("SELECT setting_key, setting_value FROM settings WHERE setting_key IN ('google_client_id', 'google_client_secret')");
        $google_settings_raw = $stmt->fetchAll(PDO::FETCH_ASSOC);
        foreach ($google_settings_raw as $row) {
            $google_settings[$row['setting_key']] = $row['setting_value'];
        }
    } catch (PDOException $e) {
        $error_message = "Database error fetching Google settings: " . $e->getMessage();
    }
}

try {
    $roles_stmt = $pdo->query('SELECT * FROM roles ORDER BY name');
    $roles = $roles_stmt->fetchAll(PDO::FETCH_ASSOC);
} catch (PDOException $e) {
    $error_message = "Database error fetching roles: " . $e->getMessage();
    $roles = [];
}

$resources = ['asset', 'user', 'category', 'location', 'role', 'permission'];
$actions = ['create', 'read', 'update', 'delete'];

function get_permissions() {
    try {
        $pdo_func = db();
        $stmt = $pdo_func->query('SELECT * FROM role_permissions ORDER BY role_id, resource, action');
        return $stmt->fetchAll(PDO::FETCH_ASSOC);
    } catch (PDOException $e) {
        return ['error' => 'Database error: ' . $e->getMessage()];
    }
}

$permissions_from_db = get_permissions();
$grouped_permissions = [];
if (!isset($permissions_from_db['error'])) {
    foreach ($permissions_from_db as $p) {
        $grouped_permissions[$p['role_id']][$p['resource']][$p['action']] = $p['fields'];
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Settings - IC-Inventory</title>
    <meta name="description" content="Manage application settings, including Google OAuth and role permissions.">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
    <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
    <script src="https://unpkg.com/feather-icons"></script>
</head>
<body>

<div class="wrapper">
    <?php require_once 'templates/sidebar.php'; ?>

    <main id="content">
        <div class="header">
            <h1>Settings</h1>
        </div>

        <div class="surface p-4">
            <?php if ($success_message): ?>
                <div class="alert alert-success"><?php echo htmlspecialchars($success_message); ?></div>
            <?php endif; ?>
            <?php if ($error_message): ?>
                <div class="alert alert-danger"><?php echo htmlspecialchars($error_message); ?></div>
            <?php endif; ?>

            <?php if ($is_super_admin): ?>
            <div class="card mb-4">
                <div class="card-header">
                    <h3>Google OAuth 2.0 Settings</h3>
                </div>
                <div class="card-body">
                    <p>These credentials are required for Google Login. You can get them from the <a href="https://console.cloud.google.com/apis/credentials" target="_blank">Google Cloud Console</a>.</p>
                    <p>The authorized redirect URI is: <code><?php echo htmlspecialchars(str_replace('settings.php', 'google-callback.php', (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])); ?></code></p>
                    <form action="settings.php" method="post">
                        <div class="mb-3">
                            <label for="google_client_id" class="form-label">Client ID</label>
                            <input type="text" class="form-control" id="google_client_id" name="google_client_id" value="<?php echo htmlspecialchars($google_settings['google_client_id'] ?? ''); ?>">
                        </div>
                        <div class="mb-3">
                            <label for="google_client_secret" class="form-label">Client Secret</label>
                            <input type="password" class="form-control" id="google_client_secret" name="google_client_secret" value="<?php echo htmlspecialchars($google_settings['google_client_secret'] ?? ''); ?>">
                        </div>
                        <button type="submit" name="save_google_settings" class="btn btn-primary">Save Google Settings</button>
                    </form>
                </div>
            </div>
            <?php endif; ?>

            <?php if (can($_SESSION['user_role_id'], 'permission', 'update')): ?>
            <div class="card">
                <div class="card-header">
                    <h3>Role Permissions</h3>
                </div>
                <div class="card-body">
                    <form action="settings.php" method="post">
                        <div class="table-responsive">
                            <table class="table table-bordered permission-table">
                                <thead>
                                    <tr>
                                        <th>Role</th>
                                        <th>Resource</th>
                                        <th>Create</th>
                                        <th>Read (Fields)</th>
                                        <th>Update (Fields)</th>
                                        <th>Delete</th>
                                    </tr>
                                </thead>
                                <tbody>
                                    <?php foreach ($roles as $role): ?>
                                        <?php foreach ($resources as $resource_idx => $resource): ?>
                                            <tr>
                                                <?php if ($resource_idx === 0): ?>
                                                    <td rowspan="<?php echo count($resources); ?>" class="align-middle">
                                                        <strong><?php echo htmlspecialchars($role['name']); ?></strong>
                                                        <?php if ($role['id'] == 1): ?>
                                                            <span class="badge bg-primary">Super Admin</span>
                                                        <?php endif; ?>
                                                    </td>
                                                <?php endif; ?>
                                                <td class="align-middle"><?php echo ucfirst($resource); ?></td>
                                                
                                                <?php foreach ($actions as $action):
                                                    $is_checked = isset($grouped_permissions[$role['id']][$resource]) && array_key_exists($action, $grouped_permissions[$role['id']][$resource]);
                                                ?>
                                                <td class="align-middle">
                                                    <div class="form-check">
                                                        <input class="form-check-input" type="checkbox" name="permissions[<?php echo $role['id']; ?>][<?php echo $resource; ?>][<?php echo $action; ?>][enabled]" value="1" <?php echo $is_checked ? 'checked' : ''; ?>>
                                                    </div>
                                                    <?php if (in_array($action, ['read', 'update', 'create'])): ?>
                                                        <input type="text" class="form-control form-control-sm mt-1" name="permissions[<?php echo $role['id']; ?>][<?php echo $resource; ?>][<?php echo $action; ?>][fields]" placeholder="* for all" value="<?php echo htmlspecialchars($grouped_permissions[$role['id']][$resource][$action] ?? '*'); ?>">
                                                    <?php endif; ?>
                                                </td>
                                                <?php endforeach; ?>
                                            </tr>
                                        <?php endforeach; ?>
                                    <?php endforeach; ?>
                                </tbody>
                            </table>
                        </div>
                        <button type="submit" name="save_permissions" class="btn btn-primary">Save Permissions</button>
                    </form>
                </div>
            </div>
            <?php endif; ?>
        </div>
    </main>
</div>

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
<script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
<script>
    feather.replace();
</script>
</body>
</html>