<?php
/**
 * API endpoint for deleting a comment
 */

// Disable error display in the output
ini_set('display_errors', 0);
error_reporting(E_ALL);

// Apply rate limiting
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
RateLimitMiddleware::apply('api');

// Start output buffering
ob_start();

try {
    require_once dirname(__DIR__) . '/config/config.php';
    require_once dirname(__DIR__) . '/helpers/Database.php';
    require_once dirname(__DIR__) . '/models/CommentModel.php';
    require_once dirname(__DIR__) . '/models/TicketModel.php';
    require_once dirname(__DIR__) . '/models/AuditLogModel.php';

    // Check authentication via session
    session_start();
    if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
        throw new Exception("Authentication required");
    }

    // CSRF Protection
    require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
    $csrfToken = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
    if (!CsrfMiddleware::validateToken($csrfToken)) {
        http_response_code(403);
        header('Content-Type: application/json');
        echo json_encode(['success' => false, 'error' => 'Invalid CSRF token']);
        exit;
    }

    $currentUser = $_SESSION['user'];
    $userId = $currentUser['user_id'];
    $isAdmin = $currentUser['is_admin'] ?? false;

    // Use centralized database connection
    $conn = Database::getConnection();

    // Get data - support both POST body and query params
    $data = json_decode(file_get_contents('php://input'), true);

    if (!$data || !isset($data['comment_id'])) {
        // Try query params
        if (isset($_GET['comment_id'])) {
            $data = ['comment_id' => $_GET['comment_id']];
        } else {
            throw new Exception("Missing required field: comment_id");
        }
    }

    $commentId = (int)$data['comment_id'];

    // Initialize models
    $commentModel = new CommentModel($conn);
    $auditLog = new AuditLogModel($conn);

    // Get comment before deletion for audit log and access check
    $comment = $commentModel->getCommentById($commentId);

    // Verify user can access the parent ticket
    if ($comment) {
        $ticketModel = new TicketModel($conn);
        $ticket = $ticketModel->getTicketById($comment['ticket_id']);
        if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $currentUser)) {
            ob_end_clean();
            http_response_code(403);
            header('Content-Type: application/json');
            echo json_encode(['success' => false, 'error' => 'Access denied']);
            exit;
        }
    }

    // Delete comment
    $result = $commentModel->deleteComment($commentId, $userId, $isAdmin);

    // Log the deletion if successful
    if ($result['success'] && $comment) {
        $auditLog->log(
            $userId,
            'delete',
            'comment',
            (string)$commentId,
            [
                'ticket_id' => $comment['ticket_id'],
                'comment_text_preview' => substr($comment['comment_text'], 0, 100)
            ]
        );
    }

    // Discard any unexpected output
    ob_end_clean();

    header('Content-Type: application/json');
    echo json_encode($result);

} catch (Exception $e) {
    ob_end_clean();
    error_log("Delete comment API error: " . $e->getMessage());
    header('Content-Type: application/json');
    echo json_encode([
        'success' => false,
        'error' => 'An internal error occurred'
    ]);
}