<?php
// index.php — School News Portal (Login + Roles) — ใช้ตัวแปร $servername / $dbname / $userdb / $passdb

// ====== SIMPLE CONFIG (แก้ค่านี้ให้ตรงกับโฮสต์ของโชค) ======
$servername = 'localhost';       
$userdb     = 'u68319090014';   
$passdb     = '@6814';            
$dbname     = 'u68319090014';           


// หมวดหมู่ข่าว
$CATEGORIES = [
  'public'      => 'ข่าวประชาสัมพันธ์',
  'students'    => 'ข่าวสำหรับนักเรียน',
  'teachers'    => 'ข่าวสำหรับอาจารย์',
  'procurement' => 'ข่าวจัดซื้อจัดจ้าง',
];

// ====== BOOTSTRAP ======
session_start();
header('Content-Type: text/html; charset=UTF-8');

function e($s) { return htmlspecialchars($s ?? '', ENT_QUOTES, 'UTF-8'); }
function isLoggedIn() { return !empty($_SESSION['uid']); }
function currentUser() { return isLoggedIn() ? ['id'=>$_SESSION['uid'], 'username'=>$_SESSION['username'], 'role'=>$_SESSION['role']] : null; }
function forbid() { header('HTTP/1.1 403 Forbidden'); echo layout('Forbidden', '<div class="card alert">ไม่มีสิทธิ์เข้าถึงหน้านี้</div>'); exit; }
function requireRole($role) { $u=currentUser(); if(!$u || $u['role']!==$role) forbid(); }
function canViewCategory($category, $role) {
  if (in_array($category, ['public','procurement'], true)) return true; // สาธารณะ
  if ($role === 'admin') return true;
  if ($category === 'students' && $role === 'student') return true;
  if ($category === 'teachers' && $role === 'teacher') return true;
  return false;
}

// ====== LAYOUT ======
function layout($title, $bodyHtml) {
  global $SITE_NAME, $CATEGORIES;
  $u = currentUser();
  $nav = '';
  foreach ($CATEGORIES as $k=>$v) { $nav .= '<a class="chip" href="?cat='.e($k).'">'.e($v).'</a>'; }
  $auth = $u ? '<span class="me">👤 '.e($u['username']).' ('.e($u['role']).')</span> <a class="btn" href="?action=logout">ออกจากระบบ</a>' : '<a class="btn" href="?action=login">เข้าสู่ระบบ</a>';
  $admin = ($u && $u['role']==='admin') ? '<a class="btn primary" href="?action=dashboard">แดชบอร์ดผู้ดูแล</a>' : '';

  $head = '<!doctype html><html lang="th"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">'
    .'<title>'.e($SITE_NAME.' - '.$title).'</title>'
    .'<style>'
    .'body{margin:0;background:#0b1020;color:#eef2ff;font-family:system-ui,Arial,sans-serif}'
    .'.container{max-width:960px;margin:24px auto;padding:0 16px}'
    .'.header{display:flex;gap:12px;align-items:center;justify-content:space-between;margin-bottom:16px}'
    .'.brand{font-weight:800;letter-spacing:.3px}'
    .'.btn{padding:8px 12px;border:1px solid #334;border-radius:8px;text-decoration:none;color:#eef2ff;display:inline-block}'
    .'.btn.primary{background:#3b82f6;border-color:#3b82f6;color:#fff}'
    .'.btn.danger{background:#ef4444;border-color:#ef4444;color:#fff}'
    .'.chip{padding:6px 10px;border:1px solid #334;border-radius:999px;text-decoration:none;color:#eef2ff;margin-right:6px;display:inline-block}'
    .'.card{background:#101935;border:1px solid #334;padding:16px;border-radius:12px;margin-bottom:12px}'
    .'.grid{display:grid;gap:12px}'
    .'.grid.cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}'
    .'.input{width:100%;padding:10px;border-radius:8px;border:1px solid #334;background:#0a1428;color:#eef2ff}'
    .'.label{font-size:14px;color:#9fb3c8;margin-bottom:6px}'
    .'.row{display:flex;gap:10px;align-items:center;flex-wrap:wrap}'
    .'.table{width:100%;border-collapse:collapse}'
    .'.table th,.table td{border-bottom:1px solid #334;text-align:left;padding:8px;color:#eef2ff}'
    .'.me{color:#9fb3c8}'
    .'.footer{margin-top:24px;color:#9fb3c8;font-size:13px}'
    .'.alert{background:#1f2a44;border:1px solid #3b4a6b;padding:12px;border-radius:10px}'
    .'</style></head><body>';

  $header = '<div class="container"><div class="header">'
    .'<div class="brand">🗞️ '.e($SITE_NAME).'</div><div>'.$nav.'</div>'
    .'<div>'.$admin.$auth.'</div>'
    .'</div>';

  $footer = '<div class="footer">ทำด้วย ❤️ ด้วย PHP + MySQL | ตัวอย่างเพื่อการเรียนรู้</div></div></body></html>';

  return $head.$header.$bodyHtml.$footer;
}

// ====== PDO CONNECT (ใช้ $servername / $dbname / $userdb / $passdb) ======
function pdo() {
  global $servername, $dbname, $userdb, $passdb;
  static $pdo = null;
  if ($pdo !== null) return $pdo;

  $dsnWithDb = "mysql:host={$servername};dbname={$dbname};charset=utf8mb4";
  try {
    // ต่อเข้าฐานโดยตรง
    $pdo = new PDO($dsnWithDb, $userdb, $passdb, [
      PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
      PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    ]);
    return $pdo;
  } catch (PDOException $e) {
    // หากเป็น Unknown database (1049) — พยายามสร้าง DB ให้อัตโนมัติ
    if (strpos($e->getMessage(), '1049') !== false) {
      try {
        $dsnNoDb = "mysql:host={$servername};charset=utf8mb4";
        $pdoTmp = new PDO($dsnNoDb, $userdb, $passdb, [
          PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
          PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ]);
        $safe = preg_replace('/[^a-zA-Z0-9_]/', '_', $dbname);
        $pdoTmp->exec("CREATE DATABASE IF NOT EXISTS `{$safe}` CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci");

        // ต่อใหม่เข้าฐานที่เพิ่งสร้าง
        $pdo = new PDO($dsnWithDb, $userdb, $passdb, [
          PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
          PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ]);
        return $pdo;
      } catch (PDOException $e2) {
        echo layout('เชื่อมต่อฐานข้อมูลไม่สำเร็จ',
          '<div class="card alert"><b>ไม่สามารถสร้าง/เชื่อมต่อฐานข้อมูลได้</b><br>'
          . e($e2->getMessage())
          . '<br>ตรวจสอบสิทธิ์ผู้ใช้ MySQL หรือสร้างฐานข้อมูลด้วยตนเองใน phpMyAdmin</div>');
        exit;
      }
    }

    // ข้อผิดพลาดอื่น ๆ
    echo layout('เชื่อมต่อฐานข้อมูลไม่สำเร็จ',
      '<div class="card alert"><b>เชื่อมต่อฐานข้อมูลไม่สำเร็จ</b><br>'.e($e->getMessage()).'</div>');
    exit;
  }
}

// ====== SCHEMA GUARD ======
function ensure_schema() {
  $pdo = pdo();
  $pdo->exec("CREATE TABLE IF NOT EXISTS users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,
    role ENUM('admin','student','teacher') NOT NULL DEFAULT 'student',
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;");

  $pdo->exec("CREATE TABLE IF NOT EXISTS news (
    id INT AUTO_INCREMENT PRIMARY KEY,
    title VARCHAR(200) NOT NULL,
    body TEXT NOT NULL,
    category ENUM('public','students','teachers','procurement') NOT NULL,
    author_id INT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    INDEX(category),
    FOREIGN KEY (author_id) REFERENCES users(id) ON DELETE SET NULL
  ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;");

  // ถ้ายังไม่มี admin ให้สร้างอัตโนมัติ
  $st = $pdo->query("SELECT COUNT(*) c FROM users WHERE role='admin'");
  $c = ($st && ($row=$st->fetch())) ? (int)$row['c'] : 0;
  if ($c === 0) {
    $hash = password_hash('admin123', PASSWORD_DEFAULT);
    $stmt = $pdo->prepare("INSERT INTO users(username,password_hash,role) VALUES(?,?, 'admin')");
    $stmt->execute(['admin', $hash]);
  }
}
ensure_schema();

// ====== ACTIONS ======
$action = $_GET['action'] ?? '';

if ($action === 'login') {
  if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = trim($_POST['username'] ?? '');
    $password = $_POST['password'] ?? '';
    $stmt = pdo()->prepare('SELECT * FROM users WHERE username = ? LIMIT 1');
    $stmt->execute([$username]);
    $u = $stmt->fetch();
    if ($u && password_verify($password, $u['password_hash'])) {
      $_SESSION['uid'] = $u['id'];
      $_SESSION['username'] = $u['username'];
      $_SESSION['role'] = $u['role'];
      header('Location: ./');
      exit;
    } else {
      $error = '<div class="alert">❌ ชื่อผู้ใช้หรือรหัสผ่านไม่ถูกต้อง</div>';
    }
  }
  $form  = '<div class="grid cols-2">';
  $form .= '  <div class="card">';
  $form .= '    <h2>เข้าสู่ระบบ</h2>';
  $form .= '    <form method="post">';
  $form .= '      <div class="label">ชื่อผู้ใช้</div>';
  $form .= '      <input class="input" name="username" required>';
  $form .= '      <div class="label" style="margin-top:10px">รหัสผ่าน</div>';
  $form .= '      <input class="input" type="password" name="password" required>';
  $form .= '      <div style="margin-top:12px" class="row">';
  $form .= '        <button class="btn primary" type="submit">เข้าสู่ระบบ</button>';
  $form .= '        <a class="btn" href="./">ยกเลิก</a>';
  $form .= '      </div>';
  $form .= '    </form>';
  $form .=      ($error ?? '');
  $form .= '    <div class="me">ทดลอง: admin / admin123</div>';
  $form .= '  </div>';
  $form .= '  <div class="card">';
  $form .= '    <h3>บทบาทผู้ใช้</h3>';
  $form .= '    <p class="me">student เห็นข่าวนักเรียน • teacher เห็นข่าวอาจารย์ • admin จัดการข่าวทั้งหมด</p>';
  $form .= '  </div>';
  $form .= '</div>';
  echo layout('เข้าสู่ระบบ', $form);
  exit;
}

if ($action === 'logout') {
  session_destroy();
  header('Location: ./');
  exit;
}

if ($action === 'dashboard') {
  requireRole('admin');
  $rows = pdo()->query('SELECT n.*, u.username FROM news n LEFT JOIN users u ON u.id=n.author_id ORDER BY n.created_at DESC LIMIT 200')->fetchAll();
  ob_start();
  echo '<div class="card">';
  echo '<div class="row" style="justify-content:space-between;align-items:center"><h2>แดชบอร์ดผู้ดูแล</h2><a class="btn primary" href="?action=edit">+ เพิ่มข่าว</a></div>';
  echo '<table class="table"><thead><tr><th>ID</th><th>หัวข้อ</th><th>หมวด</th><th>ผู้เขียน</th><th>วันที่</th><th></th></tr></thead><tbody>';
  foreach ($rows as $r) {
    echo '<tr>';
    echo '<td>'.e($r['id']).'</td>';
    echo '<td>'.e($r['title']).'</td>';
    echo '<td><span class="chip">'.e($GLOBALS['CATEGORIES'][$r['category']] ?? $r['category']).'</span></td>';
    echo '<td>'.e($r['username'] ?? '-').'</td>';
    echo '<td>'.e($r['created_at']).'</td>';
    echo '<td class="row"><a class="btn" href="?action=edit&id='.e($r['id']).'">แก้ไข</a> <a class="btn danger" onclick="return confirm(\'ลบรายการนี้?\')" href="?action=delete&id='.e($r['id']).'">ลบ</a></td>';
    echo '</tr>';
  }
  echo '</tbody></table></div>';
  $html = ob_get_clean();
  echo layout('แดชบอร์ด', $html);
  exit;
}

if ($action === 'edit') {
  requireRole('admin');
  $id = isset($_GET['id']) ? (int)$_GET['id'] : 0;
  $row = ['id'=>0, 'title'=>'', 'body'=>'', 'category'=>'public'];
  if ($id) {
    $stmt = pdo()->prepare('SELECT * FROM news WHERE id = ?');
    $stmt->execute([$id]);
    $row = $stmt->fetch() ?: $row;
  }
  $catOpts = '';
  foreach ($GLOBALS['CATEGORIES'] as $k=>$v) {
    $sel = ($row['category'] === $k) ? 'selected' : '';
    $catOpts .= "<option value='".e($k)."' $sel>".e($v)."</option>";
  }

  $form  = '<div class="card">';
  $form .= '<h2>'.($id ? ('แก้ไขข่าว #'.e((string)$id)) : 'เพิ่มข่าวใหม่').'</h2>';
  $form .= '<form method="post" action="?action=save">';
  $form .= '<input type="hidden" name="id" value="'.e((string)$row['id']).'">';

  $form .= '<div class="label">หัวข้อ</div>';
  $form .= '<input class="input" name="title" value="'.e($row['title']).'" required>';

  $form .= '<div class="label" style="margin-top:10px">หมวด</div>';
  $form .= '<select class="input" name="category">'.$catOpts.'</select>';

  $form .= '<div class="label" style="margin-top:10px">เนื้อหา</div>';
  $form .= '<textarea class="input" name="body" rows="8" required>'.e($row['body']).'</textarea>';

  $form .= '<div class="row" style="margin-top:12px">';
  $form .= '<button class="btn primary" type="submit">บันทึก</button>';
  $form .= '<a class="btn" href="?action=dashboard">ยกเลิก</a>';
  $form .= '</div>';

  $form .= '</form></div>';

  echo layout($id ? 'แก้ไขข่าว' : 'เพิ่มข่าว', $form);
  exit;
}

if ($action === 'save' && $_SERVER['REQUEST_METHOD']==='POST') {
  requireRole('admin');
  $id = (int)($_POST['id'] ?? 0);
  $title = trim($_POST['title'] ?? '');
  $category = $_POST['category'] ?? 'public';
  $body = trim($_POST['body'] ?? '');
  if ($title === '' || $body === '' || !array_key_exists($category, $GLOBALS['CATEGORIES'])) {
    echo layout('ข้อผิดพลาด', '<div class="card alert">ข้อมูลไม่ครบถ้วน</div>');
    exit;
  }
  if ($id > 0) {
    $stmt = pdo()->prepare('UPDATE news SET title=?, body=?, category=? WHERE id=?');
    $stmt->execute([$title, $body, $category, $id]);
  } else {
    $uid = $_SESSION['uid'] ?? null;
    $stmt = pdo()->prepare('INSERT INTO news(title, body, category, author_id) VALUES(?,?,?,?)');
    $stmt->execute([$title, $body, $category, $uid]);
  }
  header('Location: ?action=dashboard');
  exit;
}

if ($action === 'delete') {
  requireRole('admin');
  $id = (int)($_GET['id'] ?? 0);
  if ($id>0) {
    $stmt = pdo()->prepare('DELETE FROM news WHERE id=?');
    $stmt->execute([$id]);
  }
  header('Location: ?action=dashboard');
  exit;
}

// ====== HOME (list news by category) ======
$cat = $_GET['cat'] ?? 'public';
if (!array_key_exists($cat, $CATEGORIES)) $cat = 'public';
$u = currentUser();
$role = $u['role'] ?? null;

if (!canViewCategory($cat, $role)) {
  $msg = '<div class="card alert">ต้องเข้าสู่ระบบด้วยบทบาทที่ถูกต้องเพื่อดูหมวดนี้: <b>'.e($CATEGORIES[$cat]).'</b></div>';
  echo layout('ต้องเข้าสู่ระบบ', $msg);
  exit;
}

$stmt = pdo()->prepare('SELECT n.*, u.username FROM news n LEFT JOIN users u ON u.id=n.author_id WHERE category=? ORDER BY created_at DESC LIMIT 100');
$stmt->execute([$cat]);
$rows = $stmt->fetchAll();

ob_start();
echo '<div class="row" style="margin-bottom:10px"><span class="chip">กำลังดู: '.e($CATEGORIES[$cat]).'</span>';
if ($u && $u['role']==='admin') echo '<a class="btn" href="?action=edit">+ เพิ่มข่าว</a>';
echo '</div>';

if (!$rows) {
  echo '<div class="card">ยังไม่มีข่าวในหมวดนี้</div>';
} else {
  foreach ($rows as $r) {
    echo '<div class="card" style="margin-bottom:12px">';
    echo '<div class="row" style="justify-content:space-between"><h3 style="margin:0">'.e($r['title']).'</h3><span class="chip">'.e($CATEGORIES[$r['category']]).'</span></div>';
    echo '<div style="white-space:pre-wrap;margin-top:8px">'.nl2br(e($r['body'])).'</div>';
    echo '<div class="me" style="margin-top:8px">✍️ โดย '.e($r['username'] ?? 'ระบบ').' • 🕒 '.e($r['created_at']).'</div>';
    echo '</div>';
  }
}

$homeHtml = ob_get_clean();
echo layout('หน้าแรก', $homeHtml);

// EOF
