<?php
require_once 'auth/session.php';
requireLogin();

$user_id = $_SESSION['user_id'];
$data = json_decode(file_get_contents('php://input'), true) ?? $_POST;

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $server_id = $_GET['server_id'] ?? 0;
    $stmt = db()->prepare("SELECT * FROM roles WHERE server_id = ? ORDER BY position DESC");
    $stmt->execute([$server_id]);
    echo json_encode(['success' => true, 'roles' => $stmt->fetchAll()]);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $server_id = $data['server_id'] ?? 0;
    $action = $data['action'] ?? 'create';

    // Check if user is owner of server
    $stmt = db()->prepare("SELECT owner_id FROM servers WHERE id = ?");
    $stmt->execute([$server_id]);
    $server = $stmt->fetch();
    if (!$server || $server['owner_id'] != $user_id) {
        echo json_encode(['success' => false, 'error' => 'Unauthorized']);
        exit;
    }

    if ($action === 'create') {
        $name = $data['name'] ?? 'New Role';
        $color = $data['color'] ?? '#99aab5';
        $stmt = db()->prepare("INSERT INTO roles (server_id, name, color) VALUES (?, ?, ?)");
        $stmt->execute([$server_id, $name, $color]);
        echo json_encode(['success' => true, 'role_id' => db()->lastInsertId()]);
    } elseif ($action === 'assign') {
        $target_user_id = $data['user_id'] ?? 0;
        $role_id = $data['role_id'] ?? 0;
        $stmt = db()->prepare("INSERT IGNORE INTO user_roles (user_id, role_id) VALUES (?, ?)");
        $stmt->execute([$target_user_id, $role_id]);
        echo json_encode(['success' => true]);
    } elseif ($action === 'unassign') {
        $target_user_id = $data['user_id'] ?? 0;
        $role_id = $data['role_id'] ?? 0;
        $stmt = db()->prepare("DELETE FROM user_roles WHERE user_id = ? AND role_id = ?");
        $stmt->execute([$target_user_id, $role_id]);
        echo json_encode(['success' => true]);
    }
    exit;
}

if ($_SERVER['REQUEST_METHOD'] === 'PUT') {
    $role_id = $data['id'] ?? 0;
    $name = $data['name'] ?? '';
    $color = $data['color'] ?? '';
    $permissions = $data['permissions'] ?? null;

    // Check server ownership via role
    $stmt = db()->prepare("SELECT s.owner_id FROM servers s JOIN roles r ON s.id = r.server_id WHERE r.id = ?");
    $stmt->execute([$role_id]);
    $server = $stmt->fetch();

    if ($server && $server['owner_id'] == $user_id) {
        $stmt = db()->prepare("UPDATE roles SET name = ?, color = ?, permissions = ? WHERE id = ?");
        $stmt->execute([$name, $color, $permissions, $role_id]);
        echo json_encode(['success' => true]);
    } else {
        echo json_encode(['success' => false, 'error' => 'Unauthorized']);
    }
    exit;
}

if ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
    $role_id = $data['id'] ?? 0;
    $stmt = db()->prepare("SELECT s.owner_id FROM servers s JOIN roles r ON s.id = r.server_id WHERE r.id = ?");
    $stmt->execute([$role_id]);
    $server = $stmt->fetch();

    if ($server && $server['owner_id'] == $user_id) {
        $stmt = db()->prepare("DELETE FROM roles WHERE id = ?");
        $stmt->execute([$role_id]);
        echo json_encode(['success' => true]);
    } else {
        echo json_encode(['success' => false, 'error' => 'Unauthorized']);
    }
    exit;
}