fetch( "SELECT * FROM orders WHERE order_id = :id", ['id' => $orderId] ); if (!$order) { jsonResponse(['error' => 'Order not found'], 404); } $order['items'] = json_decode($order['items'], true); $order['shipping_address'] = json_decode($order['shipping_address'], true); unset($order['id']); jsonResponse($order); } elseif ($orderNumber) { $email = $_GET['email'] ?? ''; $order = db()->fetch( "SELECT * FROM orders WHERE order_number = :num AND customer_email = :email", ['num' => $orderNumber, 'email' => strtolower($email)] ); if (!$order) { jsonResponse(['error' => 'Order not found'], 404); } $order['items'] = json_decode($order['items'], true); $order['shipping_address'] = json_decode($order['shipping_address'], true); unset($order['id']); jsonResponse($order); } else { // List orders (admin only or customer's own) $customer = CustomerAuth::getUser(); if ($customer) { $orders = db()->fetchAll( "SELECT order_id, order_number, total, payment_status, order_status, created_at FROM orders WHERE customer_id = :cid ORDER BY created_at DESC LIMIT 50", ['cid' => $customer['customer_id']] ); } else { jsonResponse(['error' => 'Authentication required'], 401); } jsonResponse(['orders' => $orders]); } break; case 'POST': // Update order status (admin) if ($action === 'update_status') { // Admin check would go here $orderId = $input['order_id'] ?? ''; $status = $input['status'] ?? ''; $trackingNumber = $input['tracking_number'] ?? null; if (empty($orderId) || empty($status)) { jsonResponse(['error' => 'Order ID and status required'], 400); } $validStatuses = ['pending', 'confirmed', 'processing', 'shipped', 'delivered', 'cancelled', 'refunded']; if (!in_array($status, $validStatuses)) { jsonResponse(['error' => 'Invalid status'], 400); } $updateData = ['order_status' => $status]; if ($trackingNumber) { $updateData['tracking_number'] = $trackingNumber; } db()->update('orders', $updateData, 'order_id = :id', ['id' => $orderId]); // If status is shipped or delivered, send email $order = db()->fetch("SELECT * FROM orders WHERE order_id = :id", ['id' => $orderId]); if ($order && in_array($status, ['shipped', 'delivered'])) { sendStatusUpdateEmail($order, $status, $trackingNumber); } jsonResponse(['success' => true, 'status' => $status]); } // Cancel order if ($action === 'cancel') { $orderId = $input['order_id'] ?? ''; $customer = CustomerAuth::getUser(); if (!$customer) { jsonResponse(['error' => 'Authentication required'], 401); } $order = db()->fetch( "SELECT * FROM orders WHERE order_id = :id AND customer_id = :cid", ['id' => $orderId, 'cid' => $customer['customer_id']] ); if (!$order) { jsonResponse(['error' => 'Order not found'], 404); } if (!in_array($order['order_status'], ['pending', 'confirmed'])) { jsonResponse(['error' => 'This order cannot be cancelled'], 400); } db()->update('orders', ['order_status' => 'cancelled'], 'order_id = :id', ['id' => $orderId] ); // Restore stock $items = json_decode($order['items'], true) ?? []; foreach ($items as $item) { db()->query( "UPDATE products SET stock = stock + :qty WHERE product_id = :id", ['qty' => $item['quantity'], 'id' => $item['product_id']] ); } jsonResponse(['success' => true]); } jsonResponse(['error' => 'Invalid action'], 400); break; default: jsonResponse(['error' => 'Method not allowed'], 405); } function sendStatusUpdateEmail($order, $status, $trackingNumber = null) { $statusMessages = [ 'shipped' => 'Your order has been shipped!', 'delivered' => 'Your order has been delivered!' ]; $tracking = $trackingNumber ? "

Tracking #: {$trackingNumber}

" : ''; $html = <<

Tom's Java Jive

{$statusMessages[$status]}

Hi {$order['customer_name']},

Order #{$order['order_number']} has been updated to: {$status}

{$tracking}
HTML; sendEmail($order['customer_email'], "Order Update - #{$order['order_number']}", $html); }