<?php 
$rootPath = dirname(dirname(__DIR__));
require_once($rootPath . '/src/config/env.php');
include_once($rootPath . '/src/config/connection.php');
include_once($rootPath . '/src/config/functions.php');

session_start();
$user_id = $_SESSION['user_id'] ?? null;

// CSRF Token Validation
if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
    http_response_code(403);
    die('Security token validation failed. Please try again.');
}

// campsites.php
$conn = openDatabaseConnection();

// Get text inputs
$name = validateName($_POST['name'] ?? '') ?: '';
$desc = isset($_POST['description']) ? htmlspecialchars($_POST['description'], ENT_QUOTES, 'UTF-8') : '';
$country = isset($_POST['country']) ? htmlspecialchars($_POST['country'], ENT_QUOTES, 'UTF-8') : '';
$province = isset($_POST['province']) ? htmlspecialchars($_POST['province'], ENT_QUOTES, 'UTF-8') : '';
$lat = isset($_POST['latitude']) ? floatval($_POST['latitude']) : 0.0;
$lng = isset($_POST['longitude']) ? floatval($_POST['longitude']) : 0.0;
$website = isset($_POST['website']) ? filter_var($_POST['website'], FILTER_VALIDATE_URL) : '';
$telephone = validatePhoneNumber($_POST['telephone'] ?? '') ?: '';

if (empty($name)) {
    http_response_code(400);
    die('Campsite name is required.');
}

// Handle file upload
$thumbnailPath = null;
if (isset($_FILES['thumbnail']) && $_FILES['thumbnail']['error'] !== UPLOAD_ERR_NO_FILE) {
    // Validate file using hardened validation function
    $validationResult = validateFileUpload($_FILES['thumbnail'], 'profile_picture');
    
    if ($validationResult === false) {
        http_response_code(400);
        die('Invalid thumbnail image. Only JPG, JPEG, PNG, GIF, and WEBP images under 5MB are allowed.');
    }
    
    $uploadDir = $rootPath . "/assets/uploads/campsites/";
    if (!is_dir($uploadDir)) {
        mkdir($uploadDir, 0755, true);
    }
    
    if (!is_writable($uploadDir)) {
        http_response_code(500);
        die('Upload directory is not writable.');
    }
    
    $randomFilename = $validationResult['filename'];
    $targetFile = $uploadDir . $randomFilename;
    
    if (move_uploaded_file($_FILES["thumbnail"]["tmp_name"], $targetFile)) {
        chmod($targetFile, 0644);
        $thumbnailPath = "assets/uploads/campsites/" . $randomFilename;
    } else {
        http_response_code(500);
        die('Failed to move uploaded file.');
    }
}

$id = isset($_POST['id']) ? intval($_POST['id']) : 0;

if ($id > 0) {
  // Verify ownership - check if the campsite belongs to the current user
  $ownerCheckStmt = $conn->prepare("SELECT user_id FROM campsites WHERE id = ?");
  $ownerCheckStmt->bind_param("i", $id);
  $ownerCheckStmt->execute();
  $ownerResult = $ownerCheckStmt->get_result();
  
  if ($ownerResult->num_rows === 0) {
    http_response_code(404);
    die('Campsite not found.');
  }
  
  $ownerRow = $ownerResult->fetch_assoc();
  if ($ownerRow['user_id'] != $user_id) {
    http_response_code(403);
    die('You do not have permission to edit this campsite. Only the owner can make changes.');
  }
  
  $ownerCheckStmt->close();
  
  // UPDATE
  if ($thumbnailPath) {
    $stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, country=?, province=?, latitude=?, longitude=?, website=?, telephone=?, thumbnail=? WHERE id=?");
    $stmt->bind_param("ssssddsssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $thumbnailPath, $id);
  } else {
    $stmt = $conn->prepare("UPDATE campsites SET name=?, description=?, country=?, province=?, latitude=?, longitude=?, website=?, telephone=? WHERE id=?");
    $stmt->bind_param("ssssddssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $id);
  }
  
  // Log the action
  auditLog($user_id, 'CAMPSITE_UPDATE', 'campsites', $id, ['name' => $name]);
} else {
  // INSERT
  $stmt = $conn->prepare("INSERT INTO campsites (name, description, country, province, latitude, longitude, website, telephone, thumbnail, user_id)
                        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
  $stmt->bind_param("ssssddsssi", $name, $desc, $country, $province, $lat, $lng, $website, $telephone, $thumbnailPath, $user_id);
  
  // Log the action
  auditLog($user_id, 'CAMPSITE_CREATE', 'campsites', 0, ['name' => $name]);
}

if (!$stmt->execute()) {
    http_response_code(500);
    die('Database error: ' . $stmt->error);
}

$stmt->close();

header("Location: campsites");
?>