<?php
/**
 * Users List Endpoint (Role-Based & Tenant-Aware)
 */

use App\Core\Database;
use App\Core\Encryption;
use App\Middleware\AuthMiddleware;

// 1. Auth Check
$decoded = AuthMiddleware::check();
$db = Database::getInstance();

$role = $decoded['role'];
$tenantId = $decoded['tenant_id'] ?? null;

// 2. Build Query based on Role
if ($role === 'super_admin') {
    // Super Admin sees ALL users from ALL tenants
    $stmt = $db->query("
        SELECT u.id, u.name, u.email, u.role, u.is_active, u.created_at, t.name as tenant_name, c.name as company_name
        FROM users u
        LEFT JOIN tenants t ON u.tenant_id = t.id
        LEFT JOIN companies c ON u.company_id = c.id
    ");
} elseif ($role === 'admin') {
    // Admin sees only users in THEIR tenant (Accounting Office)
    $stmt = $db->prepare("
        SELECT u.id, u.name, u.email, u.role, u.is_active, u.created_at, t.name as tenant_name, c.name as company_name
        FROM users u
        LEFT JOIN tenants t ON u.tenant_id = t.id
        LEFT JOIN companies c ON u.company_id = c.id
        WHERE u.tenant_id = ?
    ");
    $stmt->execute([$tenantId]);
} else {
    // Other roles shouldn't see user list
    json_error('Unauthorized', 403);
}

$users = $stmt->fetchAll();

// 3. Decrypt data and format
foreach ($users as &$user) {
    // Decrypt User Name/Email
    $decryptedName = Encryption::decrypt($user['name']);
    $user['name'] = $decryptedName !== false ? $decryptedName : $user['name'];

    $decryptedEmail = Encryption::decrypt($user['email']);
    $user['email'] = $decryptedEmail !== false ? $decryptedEmail : $user['email'];

    // Decrypt Company Name (if exists)
    if ($user['company_name']) {
        $decryptedCompanyName = Encryption::decrypt($user['company_name']);
        $user['company_name'] = $decryptedCompanyName !== false ? $decryptedCompanyName : $user['company_name'];
    }
}

json_success($users);