<?php
require_once __DIR__ . '/../../../config/bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
AdminAuth::requireLogin();

if (!isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    $_SESSION['error'] = "Erreur de sécurité : token invalide.";
    header('Location: /admin/');
    exit;
}

require_once __DIR__ . '/../../../src/Database.php';

$action      = $_POST['action'] ?? '';          // 'set_visibility'
$accessTypeId = filter_var($_POST['access_type_id'] ?? '', FILTER_VALIDATE_INT) ?: null;
$isBulk      = !empty($_POST['bulk']);

$validAccess = [null, 1, 2, 3];
if (!in_array($accessTypeId, $validAccess, true)) {
    $_SESSION['error'] = "Valeur de visibilité invalide.";
    header('Location: /admin/');
    exit;
}

try {
    $db = new Database();

    if ($isBulk) {
        $ids = array_filter(array_map('intval', $_POST['selected_theses'] ?? []), fn($id) => $id > 0);
        if (empty($ids)) {
            $_SESSION['error'] = "Aucun TFE sélectionné.";
            header('Location: /admin/');
            exit;
        }
        $db->bulkSetVisibility($ids, $accessTypeId);
        $_SESSION['success'] = count($ids) . " TFE(s) mis à jour.";
    } else {
        $thesisId = filter_var($_POST['thesis_id'] ?? '', FILTER_VALIDATE_INT);
        if (!$thesisId) {
            $_SESSION['error'] = "ID invalide.";
            header('Location: /admin/');
            exit;
        }
        $db->setVisibility($thesisId, $accessTypeId);
        $_SESSION['success'] = "Visibilité mise à jour.";
    }
} catch (Exception $e) {
    error_log("visibility.php error: " . $e->getMessage());
    $_SESSION['error'] = "Erreur : " . $e->getMessage();
}

$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
header('Location: /admin/');
exit;