<?php
require_once __DIR__ . '/../auth.php';
$user = requireAuth();

$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
    // Fallback to traditional POST
    $input = $_POST;
}

$ticketId = $input['ticket_id'] ?? null;
$status = $input['status'] ?? null;
$priority = $input['priority'] ?? null;
$helperId = $input['helper_id'] ?? null;

if (!$ticketId) {
    echo json_encode(['error' => 'Missing ticket_id']);
    exit;
}

// Fetch ticket
$stmt = db()->prepare("SELECT * FROM tickets WHERE id = ?");
$stmt->execute([$ticketId]);
$ticket = $stmt->fetch();

if (!$ticket) {
    echo json_encode(['error' => 'Ticket not found']);
    exit;
}

// Check access
if ($user['role'] === 'user' && $ticket['user_id'] != $user['id']) {
    echo json_encode(['error' => 'Access denied']);
    exit;
}

// For users, only closing is allowed
if ($user['role'] === 'user') {
    if ($status === 'closed') {
        $stmt = db()->prepare("UPDATE tickets SET status = 'closed' WHERE id = ?");
        $stmt->execute([$ticketId]);
        echo json_encode(['success' => true]);
    } else {
        echo json_encode(['error' => 'Only closing is allowed for users']);
    }
    exit;
}

// For helpers and curators, allow everything
if ($status) {
    $stmt = db()->prepare("UPDATE tickets SET status = ? WHERE id = ?");
    $stmt->execute([$status, $ticketId]);
}

if ($priority) {
    $stmt = db()->prepare("UPDATE tickets SET priority = ? WHERE id = ?");
    $stmt->execute([$priority, $ticketId]);
}

if ($helperId !== null && $user['role'] === 'curator') {
    $stmt = db()->prepare("UPDATE tickets SET helper_id = ? WHERE id = ?");
    $stmt->execute([$helperId == 0 ? null : $helperId, $ticketId]);
}

echo json_encode(['success' => true]);