package authz

import (
	"context"
	"tercul/internal/domain"
	"tercul/internal/domain/work"
	platform_auth "tercul/internal/platform/auth"
)

// Service provides authorization checks for the application.
type Service struct {
	workRepo work.WorkRepository
}

// NewService creates a new authorization service.
func NewService(workRepo work.WorkRepository) *Service {
	return &Service{workRepo: workRepo}
}

// CanEditWork checks if a user has permission to edit a work.
// For now, we'll implement a simple rule: only an admin or the work's author can edit it.
func (s *Service) CanEditWork(ctx context.Context, userID uint, work *work.Work) (bool, error) {
	claims, ok := platform_auth.GetClaimsFromContext(ctx)
	if !ok {
		return false, domain.ErrUnauthorized
	}

	// Admins can do anything.
	if claims.Role == string(domain.UserRoleAdmin) {
		return true, nil
	}

	// Check if the user is an author of the work.
	isAuthor, err := s.workRepo.IsAuthor(ctx, work.ID, userID)
	if err != nil {
		return false, err
	}
	if isAuthor {
		return true, nil
	}

	return false, domain.ErrForbidden
}

// CanUpdateUser checks if a user has permission to update another user's profile.
func (s *Service) CanUpdateUser(ctx context.Context, actorID, targetUserID uint) (bool, error) {
	claims, ok := platform_auth.GetClaimsFromContext(ctx)
	if !ok {
		return false, domain.ErrUnauthorized
	}

	// Admins can do anything.
	if claims.Role == string(domain.UserRoleAdmin) {
		return true, nil
	}

	// Users can update their own profile.
	if actorID == targetUserID {
		return true, nil
	}

	return false, domain.ErrForbidden
}

// CanDeleteComment checks if a user has permission to delete a comment.
// For now, we'll implement a simple rule: only an admin or the comment's author can delete it.
func (s *Service) CanDeleteComment(ctx context.Context, userID uint, comment *domain.Comment) (bool, error) {
	claims, ok := platform_auth.GetClaimsFromContext(ctx)
	if !ok {
		return false, domain.ErrUnauthorized
	}

	// Admins can do anything.
	if claims.Role == string(domain.UserRoleAdmin) {
		return true, nil
	}

	// Check if the user is the author of the comment.
	if comment.UserID == userID {
		return true, nil
	}

	return false, domain.ErrForbidden
}