<?php
require_once 'includes/session.php';
require_login();

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header('Location: dashboard.php');
    exit();
}

if (!isset($_POST['application_id']) || !isset($_FILES['proof_screenshot'])) {
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'Invalid request.'];
    header('Location: dashboard.php');
    exit();
}

$application_id = $_POST['application_id'];
$user_id = $_SESSION['user']['id'];
$file = $_FILES['proof_screenshot'];

require_once 'db/config.php';
$pdo = db();

// Verify application belongs to the user
$stmt = $pdo->prepare("SELECT id FROM applications WHERE id = ? AND user_id = ? AND (status = 'awaiting_proof' OR status = 'pending_approval')");
$stmt->execute([$application_id, $user_id]);
if (!$stmt->fetch()) {
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'Invalid application or you are not allowed to perform this action.'];
    header('Location: dashboard.php');
    exit();
}

// File upload handling
if ($file['error'] !== UPLOAD_ERR_OK) {
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'Error uploading file.'];
    header('Location: dashboard.php');
    exit();
}

$allowed_types = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($file['type'], $allowed_types)) {
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'Invalid file type. Only JPG, PNG, and GIF are allowed.'];
    header('Location: dashboard.php');
    exit();
}

if ($file['size'] > 5 * 1024 * 1024) { // 5 MB limit
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'File is too large. Maximum size is 5MB.'];
    header('Location: dashboard.php');
    exit();
}

$upload_dir = 'uploads/proofs/';
$filename = uniqid() . '-' . basename($file['name']);
$destination = $upload_dir . $filename;

if (move_uploaded_file($file['tmp_name'], $destination)) {
    // Update database
    $stmt = $pdo->prepare("INSERT INTO application_proofs (application_id, file_path) VALUES (?, ?)");
    $stmt->execute([$application_id, $destination]);

    $stmt = $pdo->prepare("UPDATE applications SET status = 'pending_approval' WHERE id = ?");
    $stmt->execute([$application_id]);

    $_SESSION['flash_message'] = ['type' => 'success', 'message' => 'Proof uploaded successfully. It is now pending review.'];
} else {
    $_SESSION['flash_message'] = ['type' => 'danger', 'message' => 'Failed to move uploaded file.'];
}

header('Location: dashboard.php');
exit();