<?php
require_once __DIR__ . '/db/config.php';

// Auth and Role check
if (!isset($_SESSION['user_id']) || !in_array($_SESSION['role'], ['Admin', 'Finance'])) {
    $_SESSION['error'] = "You do not have permission to update invoice status.";
    header("Location: invoices.php");
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header("Location: invoices.php");
    exit;
}

$invoice_id = $_POST['invoice_id'] ?? null;
$status = $_POST['status'] ?? null;

if ($invoice_id && $status) {
    try {
        $stmt = db()->prepare("UPDATE invoices SET status = ? WHERE id = ?");
        $stmt->execute([$status, $invoice_id]);

        // Log action
        $log_stmt = db()->prepare("INSERT INTO audit_logs (user_id, action, entity_type, entity_id, details) VALUES (?, ?, ?, ?, ?)");
        $log_stmt->execute([$_SESSION['user_id'], 'UPDATE_STATUS', 'INVOICE', $invoice_id, "New status: $status"]);

        $_SESSION['success'] = "Invoice status updated to $status.";
    } catch (Exception $e) {
        $_SESSION['error'] = "Error updating status: " . $e->getMessage();
    }
}

header("Location: invoices.php");
exit;