<?php
defined($security_key) or exit;

//------------------------------------------
// Upgrade Paths Management
//------------------------------------------

//Connect to DB
$pdo = dbConnect($dbname);

//CONTENT FROM API (POST)
$post_content = json_decode($input,true);

//SoldTo is empty
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}

//default whereclause
list($whereclause,$condition) = getWhereclause('',$permission,$partner,'');

//SET PARAMETERS FOR QUERY
$id = $post_content['id'] ?? ''; //check for id
$command = ($id == '')? 'insert' : 'update';  //IF id = empty then INSERT
if (isset($post_content['delete'])){$command = 'delete';} //change command to delete
$date = date('Y-m-d H:i:s');

//CREATE EMPTY STRINGS
$clause = '';
$clause_insert ='';
$input_insert = '';

//ADD STANDARD PARAMETERS TO ARRAY BASED ON INSERT OR UPDATE
if ($command == 'update'){
    $post_content['updated'] = $date;
    $post_content['updatedby'] = $username;
}
elseif ($command == 'insert'){
    $post_content['created'] = $date;
    $post_content['createdby'] = $username;
}

//BUILD UP CLAUSE
$execute_input = [];
foreach ($post_content as $key => $value) {
    if ($key == 'id' || $key == 'delete') continue;

    if ($command == 'insert') {
        $clause_insert .= $key.',';
        $input_insert .= '?,';
        $execute_input[] = $value;
    } elseif ($command == 'update') {
        $clause .= $key.'=?,';
        $execute_input[] = $value;
    }
}

//CLEAN UP INPUT
$clause = substr($clause, 0, -1); //Clean clause - remove last comma
$clause_insert = substr($clause_insert, 0, -1); //Clean clause - remove last comma
$input_insert = substr($input_insert, 0, -1); //Clean clause - remove last comma

//QUERY AND VERIFY ALLOWED
if ($command == 'update' && isAllowed('upgrade_paths',$profile,$permission,'U') === 1){
    $sql = 'UPDATE upgrade_paths SET '.$clause.' WHERE id = ?';
    $execute_input[] = $id;
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);
}
elseif ($command == 'insert' && isAllowed('upgrade_paths',$profile,$permission,'C') === 1){
    $sql = 'INSERT INTO upgrade_paths ('.$clause_insert.') VALUES ('.$input_insert.')';
    $stmt = $pdo->prepare($sql);
    $stmt->execute($execute_input);
}
elseif ($command == 'delete' && isAllowed('upgrade_paths',$profile,$permission,'D') === 1){
    $stmt = $pdo->prepare('DELETE FROM upgrade_paths WHERE id = ?');
    $stmt->execute([$id]);

    //Add deletion to changelog
    changelog($dbname,'upgrade_paths',$id,'Delete','Delete',$username);
} else {
    http_response_code(403);
    echo json_encode(['error' => 'Operation not allowed']);
}

?>