<?php
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';

AdminAuth::requireLogin();

require_once __DIR__ . '/../../../src/Database.php';
require_once __DIR__ . '/../../../src/AdminLogger.php';

// CSRF validation
if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    App::flash('error', 'Erreur de sécurité : token invalide.');
    header('Location: ../index.php');
    exit;
}

$isBulk      = !empty($_POST['bulk']);
$isDeleteAll = !empty($_POST['delete_all']);

try {
    $db = new Database();

    $logger = AdminLogger::make();

    if ($isDeleteAll) {
        $count = $db->deleteAllTheses();
        $logger->logDeleteAllTheses($count);
        App::flash('success', "$count TFE(s) supprimé(s) avec succès.");

    } elseif ($isBulk) {
        $ids = array_filter(array_map('intval', $_POST['selected_theses'] ?? []), fn($id) => $id > 0);

        if (empty($ids)) {
            App::flash('error', 'Aucun TFE sélectionné.');
            header('Location: ../index.php');
            exit;
        }

        $db->bulkDeleteTheses($ids);
        $logger->logDelete(array_values($ids));
        $count = count($ids);
        App::flash('success', "$count TFE(s) supprimé(s) avec succès.");

    } else {
        $thesisId = filter_var($_POST['thesis_id'] ?? '', FILTER_VALIDATE_INT);

        if (!$thesisId || $thesisId <= 0) {
            App::flash('error', 'ID invalide.');
            header('Location: ../index.php');
            exit;
        }

        $db->deleteThesis($thesisId);
        $logger->logDelete([$thesisId]);
        App::flash('success', 'TFE supprimé avec succès.');
    }

} catch (Exception $e) {
    error_log('delete.php error: ' . $e->getMessage());
    App::flash('error', 'Erreur lors de la suppression : ' . $e->getMessage());
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('Location: ../index.php');
exit;