<?php
/**
 * Delete Attachment API
 *
 * Handles deletion of ticket attachments
 */

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

session_start();
require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';

header('Content-Type: application/json');

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    ResponseHelper::unauthorized();
}

// Only accept DELETE or POST requests
if (!in_array($_SERVER['REQUEST_METHOD'], ['DELETE', 'POST'])) {
    ResponseHelper::error('Method not allowed', 405);
}

// Get request body
$input = json_decode(file_get_contents('php://input'), true);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = array_merge($_POST, $input ?? []);
}

// Verify CSRF token
$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!CsrfMiddleware::validateToken($csrfToken)) {
    $auditLog = new AuditLogModel();
    $auditLog->logCsrfFailure($_SESSION['user']['user_id'] ?? null, 'delete_attachment');
    ResponseHelper::forbidden('Invalid CSRF token');
}

// Get attachment ID
$attachmentId = $input['attachment_id'] ?? null;
if (!$attachmentId || !is_numeric($attachmentId)) {
    ResponseHelper::error('Valid attachment ID is required');
}

$attachmentId = (int)$attachmentId;

try {
    $attachmentModel = new AttachmentModel();

    // Get attachment details
    $attachment = $attachmentModel->getAttachment($attachmentId);
    if (!$attachment) {
        ResponseHelper::notFound('Attachment not found');
    }

    // Check permission
    $isAdmin = $_SESSION['user']['is_admin'] ?? false;
    if (!$attachmentModel->canUserDelete($attachmentId, $_SESSION['user']['user_id'], $isAdmin)) {
        ResponseHelper::forbidden('You do not have permission to delete this attachment');
    }

    // Delete the file
    $uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
    $filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];

    if (file_exists($filePath)) {
        if (!unlink($filePath)) {
            ResponseHelper::serverError('Failed to delete file');
        }
    }

    // Delete from database
    if (!$attachmentModel->deleteAttachment($attachmentId)) {
        ResponseHelper::serverError('Failed to delete attachment record');
    }

    // Log the deletion
    $auditLog = new AuditLogModel();
    $auditLog->log(
        $_SESSION['user']['user_id'],
        'attachment_delete',
        'ticket_attachments',
        $attachmentId,
        json_encode([
            'ticket_id' => $attachment['ticket_id'],
            'filename' => $attachment['original_filename'],
            'size' => $attachment['file_size']
        ]),
        null
    );

    ResponseHelper::success([], 'Attachment deleted successfully');

} catch (Exception $e) {
    ResponseHelper::serverError('Failed to delete attachment');
}