<?php
authorize();

if (empty($_POST['toid'])) {
	error(404);
}

if (!empty($LoggedUser['DisablePM']) && !isset($StaffIDs[$_POST['toid']])) {
	error(403);
}

if (isset($_POST['convid']) && is_number($_POST['convid'])) {
	$ConvID = $_POST['convid'];
	$Subject = '';
	$ToID = explode(',', $_POST['toid']);
	foreach ($ToID as $TID) {
		if (!is_number($TID)) {
			$Err = 'A recipient does not exist.';
		}
	}
	$DB->query("
		SELECT UserID
		FROM pm_conversations_users
		WHERE UserID = '$LoggedUser[ID]'
			AND ConvID = '$ConvID'");
	if (!$DB->has_results()) {
		error(403);
	}
} else {
	$ConvID = '';
	if (!is_number($_POST['toid'])) {
		$Err = 'This recipient does not exist.';
	} else {
		$ToID = $_POST['toid'];
	}
	$Subject = trim($_POST['subject']);
	if (empty($Subject)) {
		$Err = 'You cannot send a message without a subject.';
	}
}
$Body = trim($_POST['body']);
if ($Body === '' || $Body === false) {
	$Err = 'You cannot send a message without a body.';
}

if (!empty($Err)) {
	error($Err);
	//header('Location: inbox.php?action=compose&to='.$_POST['toid']);
	$ToID = $_POST['toid'];
	$Return = true;
	include(SERVER_ROOT.'/sections/inbox/compose.php');
	die();
}

$ConvID = Misc::send_pm($ToID, $LoggedUser['ID'], $Subject, $Body, $ConvID);


header('Location: ' . Inbox::get_inbox_link());
?>