package rbac

import (
	"net/http"

	"git.haelnorr.com/h/golib/cookies"
	"git.haelnorr.com/h/golib/hws"
	"git.haelnorr.com/h/oslstats/internal/db"
	"git.haelnorr.com/h/oslstats/internal/permissions"
	"git.haelnorr.com/h/oslstats/internal/roles"
)

// RequirePermission creates middleware that requires a specific permission
func (c *Checker) RequirePermission(server *hws.Server, permission permissions.Permission) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			user := db.CurrentUser(r.Context())
			if user == nil {
				// Not logged in - redirect to login with page_from
				cookies.SetPageFrom(w, r, r.URL.Path)
				http.Redirect(w, r, "/login", http.StatusSeeOther)
				return
			}

			has, err := c.UserHasPermission(r.Context(), user, permission)
			if err != nil {
				// Log error and return 500
				server.ThrowError(w, r, hws.HWSError{
					StatusCode:      http.StatusInternalServerError,
					Message:         "Permission check failed",
					Error:           err,
					Level:           hws.ErrorERROR,
					RenderErrorPage: true,
				})
				return
			}

			if !has {
				// User lacks permission - return 403
				server.ThrowError(w, r, hws.HWSError{
					StatusCode:      http.StatusForbidden,
					Message:         "You don't have permission to access this resource",
					Error:           nil,
					Level:           hws.ErrorDEBUG,
					RenderErrorPage: true,
				})
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

// RequireRole creates middleware that requires a specific role
func (c *Checker) RequireRole(server *hws.Server, role roles.Role) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			user := db.CurrentUser(r.Context())
			if user == nil {
				// Not logged in - redirect to login
				cookies.SetPageFrom(w, r, r.URL.Path)
				http.Redirect(w, r, "/login", http.StatusSeeOther)
				return
			}

			has, err := c.UserHasRole(r.Context(), user, role)
			if err != nil {
				// Log error and return 500
				hwserr := hws.HWSError{
					StatusCode:      http.StatusInternalServerError,
					Message:         "Role check failed",
					Error:           err,
					Level:           hws.ErrorERROR,
					RenderErrorPage: true,
				}
				server.ThrowError(w, r, hwserr)
				return
			}

			if !has {
				// User lacks role - return 403
				server.ThrowError(w, r, hws.HWSError{
					StatusCode:      http.StatusForbidden,
					Message:         "You don't have the required role to access this resource",
					Error:           nil,
					Level:           hws.ErrorDEBUG,
					RenderErrorPage: true,
				})
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}

// RequireAdmin is a convenience middleware for admin-only routes
func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
	return c.RequireRole(server, roles.Admin)
}