<?php
require __DIR__ . '/session.php';
require __DIR__ . '/db.php';
require_manager();
header('Content-Type: application/json');
header('Cache-Control: no-store');

$user = strtolower(preg_replace('/[^a-z0-9_\-]/','', $_POST['user'] ?? ''));
if ($user === '') { http_response_code(400); echo json_encode(['ok'=>false,'error'=>'user required']); exit; }

$root = __DIR__ . '/../ebp/data/ebp/staff-files';
if (!is_dir($root)) @mkdir($root, 0775, true);
$root = realpath($root);
if (!$root) { http_response_code(500); echo json_encode(['ok'=>false,'error'=>'Files root not available']); exit; }

$dest = $root . DIRECTORY_SEPARATOR . $user;
if (!is_dir($dest) && !@mkdir($dest, 0775, true)) { http_response_code(500); echo json_encode(['ok'=>false,'error'=>'Cannot create staff folder']); exit; }

$ALLOWED = ['pdf','doc','docx','xls','xlsx','csv','txt','rtf','odt','png','jpg','jpeg','gif','webp','heic','mp3','wav','m4a','mp4','mov','mkv','zip','rar','7z','ppt','pptx','key'];
$MAX_BYTES = 50 * 1024 * 1024;

function safe_filename($name){ $name=preg_replace('/[^\pL\pN._-]+/u','_',$name); return trim(preg_replace('/_+/','_',$name),'._'); }

$out=[]; $errors=[];
if (!isset($_FILES['files'])) { echo json_encode(['ok'=>false,'error'=>'No files']); exit; }
$F = $_FILES['files']; $n = is_array($F['name']) ? count($F['name']) : 0;

for ($i=0; $i<$n; $i++){
  if ($F['error'][$i] !== UPLOAD_ERR_OK) { $errors[]="Upload error {$F['error'][$i]}"; continue; }
  if ($F['size'][$i] <= 0 || $F['size'][$i] > $MAX_BYTES) { $errors[]="File too large/empty"; continue; }
  $orig = $F['name'][$i];
  $ext  = strtolower(pathinfo($orig, PATHINFO_EXTENSION));
  if ($ext && !in_array($ext,$ALLOWED,true)) { $errors[]=".$ext not allowed"; continue; }

  $base = safe_filename(pathinfo($orig, PATHINFO_FILENAME)) ?: 'file';
  $name = $ext ? "$base.$ext" : $base;
  $target = $dest . DIRECTORY_SEPARATOR . $name;
  if (file_exists($target)) { $name = $base.'-'.date('Ymd-His').($ext?".$ext":''); $target = $dest.DIRECTORY_SEPARATOR.$name; }

  if (!@move_uploaded_file($F['tmp_name'][$i], $target)) { $errors[]="Save failed: $orig"; continue; }
  @chmod($target, 0664);

  $url = '/ebp/data/ebp/staff-files/' . rawurlencode($user) . '/' . rawurlencode($name);
  $out[] = ['name'=>$name,'size'=>filesize($target),'mtime'=>filemtime($target),'url'=>$url];
}

echo json_encode(['ok'=>true,'uploaded'=>$out,'errors'=>$errors]);