<?php
require_once __DIR__ . '/../helpers.php';
runAuth();

try {
    $data = readJsonBody();
    $tabID = (int) ($data['TabID'] ?? 0);
    $orderID = (int) ($data['OrderID'] ?? 0);
    $userID = (int) ($data['UserID'] ?? 0);

    if ($tabID === 0) apiAbort(['OK' => false, 'ERROR' => 'missing_TabID']);
    if ($orderID === 0) apiAbort(['OK' => false, 'ERROR' => 'missing_OrderID']);
    if ($userID === 0) apiAbort(['OK' => false, 'ERROR' => 'missing_UserID']);

    $qTab = queryOne("SELECT OwnerUserID, StatusID FROM Tabs WHERE ID = ? LIMIT 1", [$tabID]);
    if (!$qTab) apiAbort(['OK' => false, 'ERROR' => 'tab_not_found']);
    if ((int) $qTab['OwnerUserID'] !== $userID) apiAbort(['OK' => false, 'ERROR' => 'not_owner']);

    $qTabOrder = queryOne("SELECT ApprovalStatus FROM TabOrders WHERE TabID = ? AND OrderID = ? LIMIT 1", [$tabID, $orderID]);
    if (!$qTabOrder) apiAbort(['OK' => false, 'ERROR' => 'order_not_on_tab']);
    if ($qTabOrder['ApprovalStatus'] !== 'pending') apiAbort(['OK' => false, 'ERROR' => 'not_pending']);

    queryTimed("UPDATE TabOrders SET ApprovalStatus = 'rejected' WHERE TabID = ? AND OrderID = ?", [$tabID, $orderID]);
    queryTimed("UPDATE Orders SET TabID = NULL WHERE ID = ?", [$orderID]);

    jsonResponse(['OK' => true]);

} catch (Exception $e) {
    jsonResponse(['OK' => false, 'ERROR' => 'server_error', 'MESSAGE' => $e->getMessage()]);
}