<?php
// Bootstrap application
require_once __DIR__ . "/../../../config/bootstrap.php";
require_once __DIR__ . '/../../../src/AdminAuth.php';

/**
 * Handle publish/unpublish actions for theses
 */
// PHP-level auth guard (defence-in-depth behind nginx Basic Auth)
AdminAuth::requireLogin();

require_once __DIR__ . '/../../../src/Database.php';

// Verify CSRF token
if (!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    App::flash('error', "Erreur de sécurité : token invalide.");
    header('Location: ../index.php');
    exit;
}

$action = isset($_POST['action']) ? $_POST['action'] : '';
$isBulk = isset($_POST['bulk']) && $_POST['bulk'] == '1';

if (!in_array($action, ['publish', 'unpublish'])) {
    App::flash('error', "Action invalide.");
    header('Location: ../index.php');
    exit;
}

try {
    $db = new Database();
    $pdo = $db->getPDO();

    $isPublished = ($action === 'publish') ? 1 : 0;

    if ($isBulk) {
        // Handle bulk action
        $thesisIds = isset($_POST['selected_theses']) ? $_POST['selected_theses'] : [];

        if (empty($thesisIds)) {
            App::flash('error', "Aucun TFE sélectionné.");
            header('Location: ../index.php');
            exit;
        }

        // Validate all IDs are integers
        $thesisIds = array_map('intval', $thesisIds);
        $thesisIds = array_filter($thesisIds, fn($id) => $id > 0);

        if (empty($thesisIds)) {
            App::flash('error', "IDs invalides.");
            header('Location: ../index.php');
            exit;
        }

        // Prepare placeholders for IN clause
        $placeholders = str_repeat('?,', count($thesisIds) - 1) . '?';
        $sql = "UPDATE theses SET is_published = ?, updated_at = CURRENT_TIMESTAMP WHERE id IN ($placeholders)";

        $stmt = $pdo->prepare($sql);
        $params = array_merge([$isPublished], $thesisIds);
        $stmt->execute($params);

        $count = count($thesisIds);
        if ($action === 'publish') {
            App::flash('success', "$count TFE(s) publié(s) avec succès!");
        } else {
            App::flash('success', "$count TFE(s) retiré(s) de la publication.");
        }

    } else {
        // Handle single action
        $thesisId = isset($_POST['thesis_id']) ? intval($_POST['thesis_id']) : 0;

        if ($thesisId <= 0) {
            App::flash('error', "ID invalide.");
            header('Location: ../index.php');
            exit;
        }

        $stmt = $pdo->prepare("UPDATE theses SET is_published = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?");
        $stmt->execute([$isPublished, $thesisId]);

        if ($action === 'publish') {
            App::flash('success', "TFE publié avec succès!");
        } else {
            App::flash('success', "TFE retiré de la publication.");
        }
    }

} catch (Exception $e) {
    error_log("Publish error: " . $e->getMessage());
    App::flash('error', "Erreur lors de la modification: " . $e->getMessage());
}

// Regenerate CSRF token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));

header('Location: ../index.php');
exit;