<?php
// POST /api/employees/leave_action.php
require_once __DIR__ . '/../config/db.php';
require_once __DIR__ . '/../config/auth.php';

$user   = requireRole([1, 5]);
$db     = getDB();
$id     = (int)post('id', 0);
$action = post('action', ''); // approved, rejected, cancelled

if (!$id) apiError('Leave request ID required.', 422);
if (!in_array($action, ['approved', 'rejected', 'cancelled'])) apiError('Invalid action.', 422);

$db->prepare("
    UPDATE employee_leave SET status = ?, approved_by = ?, approved_at = NOW()
    WHERE id = ?
")->execute([$action, $user['id'], $id]);

apiSuccess([], 'Leave request ' . $action . '.');