<?php
/**
 * Delete Attachment API
 *
 * Handles deletion of ticket attachments
 */

// Capture errors for debugging
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting (also starts session)
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Ensure session is started
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

require_once dirname(__DIR__) . '/config/config.php';
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';

header('Content-Type: application/json');

// Check authentication
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
    ResponseHelper::unauthorized();
}

// Only accept DELETE or POST requests
if (!in_array($_SERVER['REQUEST_METHOD'], ['DELETE', 'POST'])) {
    ResponseHelper::error('Method not allowed', 405);
}

// Get request body
$input = json_decode(file_get_contents('php://input'), true);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $input = array_merge($_POST, $input ?? []);
}

// Verify CSRF token
$csrfToken = $input['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
if (!CsrfMiddleware::validateToken($csrfToken)) {
    ResponseHelper::forbidden('Invalid CSRF token');
}

// Get attachment ID
$attachmentId = $input['attachment_id'] ?? null;
if (!$attachmentId || !is_numeric($attachmentId)) {
    ResponseHelper::error('Valid attachment ID is required');
}

$attachmentId = (int)$attachmentId;

try {
    $attachmentModel = new AttachmentModel();

    // Get attachment details
    $attachment = $attachmentModel->getAttachment($attachmentId);
    if (!$attachment) {
        ResponseHelper::notFound('Attachment not found');
    }

    // Check permission
    $isAdmin = $_SESSION['user']['is_admin'] ?? false;
    if (!$attachmentModel->canUserDelete($attachmentId, $_SESSION['user']['user_id'], $isAdmin)) {
        ResponseHelper::forbidden('You do not have permission to delete this attachment');
    }

    // Delete the file
    $uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
    $filePath = $uploadDir . '/' . $attachment['ticket_id'] . '/' . $attachment['filename'];

    if (file_exists($filePath)) {
        if (!unlink($filePath)) {
            ResponseHelper::serverError('Failed to delete file');
        }
    }

    // Delete from database
    if (!$attachmentModel->deleteAttachment($attachmentId)) {
        ResponseHelper::serverError('Failed to delete attachment record');
    }

    // Log the deletion
    $conn = new mysqli(
        $GLOBALS['config']['DB_HOST'],
        $GLOBALS['config']['DB_USER'],
        $GLOBALS['config']['DB_PASS'],
        $GLOBALS['config']['DB_NAME']
    );
    if (!$conn->connect_error) {
        $auditLog = new AuditLogModel($conn);
        $auditLog->log(
            $_SESSION['user']['user_id'],
            'attachment_delete',
            'ticket_attachments',
            (string)$attachmentId,
            [
                'ticket_id' => $attachment['ticket_id'],
                'filename' => $attachment['original_filename'],
                'size' => $attachment['file_size']
            ]
        );
        $conn->close();
    }

    ResponseHelper::success([], 'Attachment deleted successfully');

} catch (Exception $e) {
    ResponseHelper::serverError('Failed to delete attachment');
}