<?php
/**
 * Student-access link actions (create, toggle, set_password, archive).
 */
require_once __DIR__ . '/../../../bootstrap.php';
require_once __DIR__ . '/../../../src/AdminAuth.php';
require_once __DIR__ . '/../../../src/ShareLink.php';
require_once __DIR__ . '/../../../src/AdminLogger.php';

error_log('[acces-etudiante.php] ENTRY | method=' . $_SERVER['REQUEST_METHOD'] . ' | action=' . ($_POST['action'] ?? 'none') . ' | post_keys=' . implode(',', array_keys($_POST)));

App::adminGuard();

if ($_SERVER['REQUEST_METHOD'] !== 'POST'
    || !isset($_POST['csrf_token'], $_SESSION['csrf_token'])
    || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    http_response_code(403);
    exit('CSRF token invalide.');
}

$action    = $_POST['action'] ?? '';
$id        = isset($_POST['id']) ? intval($_POST['id']) : 0;
$shareLink = ShareLink::make();
$logger    = AdminLogger::make();

switch ($action) {
    case 'create':
        $name       = !empty($_POST['name']) ? trim($_POST['name']) : null;
        $expiresRaw = !empty($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
        $expiresAt  = null;
        if ($expiresRaw) {
            $expiresAt = date('Y-m-d H:i:s', strtotime($expiresRaw));
            if ($expiresAt <= date('Y-m-d H:i:s')) {
                App::redirect('/admin/acces.php', error: "La date d'expiration doit être dans le futur.");
            }
        }
        $objetRaw = $_POST['objet_restriction'] ?? ['tfe'];
        $validObjet = ['tfe', 'thèse', 'frart'];
        $selected = is_array($objetRaw) ? array_intersect($objetRaw, $validObjet) : [];
        $objetRestriction = !empty($selected) ? implode(',', $selected) : 'tfe';
        $lockedYearRaw = $_POST['locked_year'] ?? null;
        $lockedYear = null;
        if ($lockedYearRaw !== null && $lockedYearRaw !== '') {
            $lockedYear = filter_var($lockedYearRaw, FILTER_VALIDATE_INT);
            if ($lockedYear === false || $lockedYear < 2000 || $lockedYear > ((int)date('Y') + 3)) {
                $lockedYear = null;
            }
        }
        $link = $shareLink->create(1, $expiresAt, $objetRestriction, $name, $lockedYear);
        $logger->logLinkCreate(
            $link['slug'] ?? '',
            true, // Always has password
            $expiresAt,
            $objetRestriction
        );
        // Flash the generated password and slug for display in the modal
        $_SESSION['_flash_new_link_slug']     = $link['slug'] ?? '';
        $_SESSION['_flash_new_link_password'] = $link['_plain_password'] ?? '';
        App::redirect('/admin/acces.php', success: 'Lien d\'accès créé.');
        break;

    case 'toggle':
        if ($id > 0) {
            $nowActive = $shareLink->toggleActive($id);
            $logger->logLinkToggle($id, $nowActive);
            App::redirect('/admin/acces.php', success: 'Statut du lien modifié.');
        } else {
            App::redirect('/admin/acces.php', error: 'Lien introuvable.');
        }
        break;

    case 'set_password':
        if ($id > 0) {
            $password = isset($_POST['password']) && $_POST['password'] !== '' ? trim($_POST['password']) : null;
            $shareLink->setPassword($id, $password);
            $logger->logLinkPasswordChange($id, $password === null);
            App::redirect('/admin/acces.php', success: 'Mot de passe mis à jour.');
        } else {
            App::redirect('/admin/acces.php', error: 'Lien introuvable.');
        }
        break;

    case 'archive':
        if ($id > 0) {
            $shareLink->archive($id);
            $logger->logLinkArchive($id);
            App::redirect('/admin/acces.php', success: 'Lien archivé.');
        } else {
            App::redirect('/admin/acces.php', error: 'Lien introuvable.');
        }
        break;

    case 'update':
        if ($id > 0) {
            $name       = isset($_POST['name']) ? trim($_POST['name']) : null;
            $expiresRaw = isset($_POST['expires_at']) ? trim($_POST['expires_at']) : null;
            // locked_year: null=not sent (keep), ""=clear, otherwise year string
            $lockedYearRaw = $_POST['locked_year'] ?? null;
            $lockedYear = null; // default: not sent → don't change
            if ($lockedYearRaw !== null) {
                $lockedYear = $lockedYearRaw; // pass through: "" for clear, "2026" for set
            }
            $shareLink->update($id, $name, $expiresRaw, $lockedYear);
            App::redirect('/admin/acces.php', success: 'Lien mis à jour.');
        } else {
            App::redirect('/admin/acces.php', error: 'Lien introuvable.');
        }
        break;

    default:
        App::redirect('/admin/acces.php', error: 'Action inconnue.');
        break;
}