<?php
$rootPath = dirname(dirname(dirname(__DIR__)));
require_once($rootPath . "/src/config/env.php");
require_once($rootPath . "/src/config/connection.php");
require_once($rootPath . "/src/config/functions.php");
session_start();

if (!isset($_SESSION['user_id'])) {
    http_response_code(401);
    echo "Not authorized";
    exit;
}

$article_id = (int)($_POST['id'] ?? 0);
$user_id = $_SESSION['user_id'];
$role = getUserRole();

if ($article_id <= 0) {
    http_response_code(400);
    echo "Invalid blog ID";
    exit;
}

// Check permissions: user must be author or admin
$stmt = $conn->prepare("SELECT author FROM blogs WHERE blog_id = ?");
$stmt->bind_param("i", $article_id);
$stmt->execute();
$result = $stmt->get_result();
$blog = $result->fetch_assoc();
$stmt->close();

if (!$blog) {
    http_response_code(404);
    echo "Blog not found";
    exit;
}

// Allow if user is author or admin
if ($blog['author'] != $user_id && !in_array($role, ['admin', 'superadmin'])) {
    http_response_code(403);
    echo "Not authorized to publish this blog";
    exit;
}

$stmt = $conn->prepare("UPDATE blogs SET status = 'published' WHERE blog_id = ?");
$stmt->bind_param("i", $article_id);

if ($stmt->execute()) {
    echo "Published";
} else {
    http_response_code(500);
    echo "Failed to publish: " . $stmt->error;
}
?>