<?php
session_start();
require_once 'config/db_config.php'; // expects $pdo (PDO)

// ---- Auth (admins and branch users) ----
if (!isset($_SESSION['user_id']) || !isset($_SESSION['role'])) {
    $_SESSION['error'] = "You must be logged in to delete an order.";
    header("Location: login.php");
    exit();
}

// ---- Validate CSRF token ----
if (!isset($_POST['csrf']) || $_POST['csrf'] !== $_SESSION['csrf_token']) {
    $_SESSION['error'] = "Invalid CSRF token.";
    header("Location: orders.php");
    exit();
}

// ---- Validate order_id ----
if (!isset($_POST['order_id']) || !is_numeric($_POST['order_id'])) {
    $_SESSION['error'] = "Invalid order ID.";
    header("Location: orders.php");
    exit();
}

$order_id = (int)$_POST['order_id'];

// ---- Role-based access control ----
try {
    // Check if the order exists and belongs to the user's branch (for branch users)
    $query = "SELECT branch_id FROM orders WHERE order_id = :order_id";
    $stmt = $pdo->prepare($query);
    $stmt->execute(['order_id' => $order_id]);
    $order = $stmt->fetch(PDO::FETCH_ASSOC);

    if (!$order) {
        $_SESSION['error'] = "Order not found.";
        header("Location: orders.php");
        exit();
    }

    if ($_SESSION['role'] === 'branch' && $order['branch_id'] != $_SESSION['branch_id']) {
        $_SESSION['error'] = "You do not have permission to delete this order.";
        header("Location: orders.php");
        exit();
    }

    // Begin transaction to ensure data integrity
    $pdo->beginTransaction();

    // Delete order items first (due to foreign key constraints)
    $query = "DELETE FROM order_items WHERE order_id = :order_id";
    $stmt = $pdo->prepare($query);
    $stmt->execute(['order_id' => $order_id]);

    // Delete the order
    $query = "DELETE FROM orders WHERE order_id = :order_id";
    $stmt = $pdo->prepare($query);
    $stmt->execute(['order_id' => $order_id]);

    // Commit transaction
    $pdo->commit();

    $_SESSION['success'] = "Order deleted successfully!";
    header("Location: orders.php?deleted=1");
    exit();

} catch (PDOException $e) {
    // Rollback transaction on error
    $pdo->rollBack();
    $_SESSION['error'] = "Error deleting order: " . htmlspecialchars($e->getMessage(), ENT_QUOTES, 'UTF-8');
    header("Location: orders.php");
    exit();
}
?>