<?php
session_start();
require_once 'db/config.php';

if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

$user_id = $_SESSION['user_id'];
$round_id = $_POST['round_id'] ?? null;
$status = $_POST['status'] ?? null;

if (!$round_id || !in_array($status, ['Closed', 'Cancelled'])) {
    header('Location: startups.php');
    exit;
}

// Verify that the user owns the startup associated with this round
$stmt = db()->prepare("
    SELECT fr.*, s.founder_id 
    FROM funding_rounds fr 
    JOIN startups s ON fr.startup_id = s.id 
    WHERE fr.id = ?
");
$stmt->execute([$round_id]);
$round = $stmt->fetch();

if (!$round || $round['founder_id'] != $user_id) {
    die("Unauthorized action.");
}

// Update the round status
$stmt = db()->prepare("UPDATE funding_rounds SET status = ? WHERE id = ?");
$stmt->execute([$status, $round_id]);

// If closed/cancelled, we should also ensure the startup status is updated if needed, 
// though the app uses funding_rounds status for 'Active' logic.
// In startups.php, it checks: LEFT JOIN funding_rounds fr ON s.id = fr.startup_id AND fr.status = 'Active'

header('Location: startups.php?success=status_updated');
exit;