<?php
session_start();
require_once('inc/config.inc.php');
require_once('inc/functions.inc.php');

$user = check_user();

if ($_SERVER['REQUEST_METHOD'] !== 'POST' || !isset($_POST['id'])) {
    http_response_code(400);
    die('Bad request');
}

$id = (int)$_POST['id'];
$referer = $_POST['referer'] ?? 'urlaubsantrag.php';

$stmt = $pdo->prepare("SELECT user_id, status FROM vacations WHERE id = ?");
$stmt->execute([$id]);
$vac = $stmt->fetch(PDO::FETCH_ASSOC);

if (!$vac) {
    die('Urlaubseintrag nicht gefunden.');
}

$canManageTeamVacations = can_manage_team_vacations();
if (!$canManageTeamVacations && (int)$vac['user_id'] !== (int)$_SESSION['userid']) {
    die('Zugriff verweigert.');
}

$del = $pdo->prepare("DELETE FROM vacations WHERE id = ?");
$del->execute([$id]);

header('Location: ' . $referer);
exit();
?>