<?php
/**
 * api/toggle_pin.php
 * POST: toggle is_pinned on a session or novena_group.
 * Admin / superadmin only.
 *
 * POST params:
 *   type  — 'session' | 'novena'
 *   id    — integer row ID
 *
 * Returns JSON: {"pinned": true|false}
 */
require_once __DIR__ . '/../config/db.php';
require_once __DIR__ . '/../includes/auth.php';

header('Content-Type: application/json');

_auth_start();

if (!has_role('admin')) {
    http_response_code(403);
    echo json_encode(['error' => 'Permission denied']);
    exit;
}

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    echo json_encode(['error' => 'Method not allowed']);
    exit;
}

$type = trim($_POST['type'] ?? '');
$id   = (int)($_POST['id']   ?? 0);

if (!in_array($type, ['session', 'novena'], true) || $id < 1) {
    http_response_code(400);
    echo json_encode(['error' => 'Invalid parameters']);
    exit;
}

try {
    $pdo   = get_pdo();
    $table = ($type === 'session') ? 'sessions' : 'novena_groups';

    $sel = $pdo->prepare("SELECT is_pinned FROM {$table} WHERE id = ?");
    $sel->execute([$id]);
    $row = $sel->fetch();

    if (!$row) {
        http_response_code(404);
        echo json_encode(['error' => 'Record not found']);
        exit;
    }

    $new = $row['is_pinned'] ? 0 : 1;
    $upd = $pdo->prepare("UPDATE {$table} SET is_pinned = ? WHERE id = ?");
    $upd->execute([$new, $id]);

    echo json_encode(['pinned' => (bool)$new]);

} catch (PDOException $e) {
    http_response_code(500);
    echo json_encode(['error' => 'Database error']);
}