"""
Permission system for Plutus payment processing application.

Provides role-based access control with three permission levels:
- Admin: Full access to all features
- Finance: All features except user management 
- Helpdesk: View-only access + single payment processing
"""

from functools import wraps
from flask import abort, flash, redirect, url_for, request
from flask_login import current_user


# Permission levels (hierarchical)
PERMISSION_LEVELS = {
    'Admin': 3,
    'Finance': 2, 
    'Helpdesk': 1
}

def get_user_permission_level(user):
    """Get the numeric permission level for a user."""
    if not user or not user.is_authenticated:
        return 0
    
    user_permission = getattr(user, 'Permissions', '').strip()
    return PERMISSION_LEVELS.get(user_permission, 0)

def has_permission(required_permission):
    """Check if current user has the required permission level."""
    if not current_user or not current_user.is_authenticated:
        return False
    
    user_level = get_user_permission_level(current_user)
    required_level = PERMISSION_LEVELS.get(required_permission, 999)
    
    return user_level >= required_level

def require_permission(required_permission):
    """
    Decorator to require a specific permission level for route access.
    
    Args:
        required_permission (str): Permission level required ('Admin', 'Finance', 'Helpdesk')
    """
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            if not current_user.is_authenticated:
                flash('Please log in to access this page.', 'error')
                return redirect(url_for('auth.login', next=request.url))
            
            if not has_permission(required_permission):
                flash('You do not have permission to access this page.', 'error')
                return redirect(url_for('main.index'))
            
            return f(*args, **kwargs)
        return decorated_function
    return decorator

def admin_required(f):
    """Decorator requiring Admin permission."""
    return require_permission('Admin')(f)

def finance_required(f):
    """Decorator requiring Finance permission or higher."""
    return require_permission('Finance')(f)

def helpdesk_required(f):
    """Decorator requiring Helpdesk permission or higher."""
    return require_permission('Helpdesk')(f)

# Template helper functions
def can_manage_users():
    """Check if current user can manage users (Admin only)."""
    return has_permission('Admin')

def can_manage_payments():
    """Check if current user can manage payments (Finance or Admin)."""
    return has_permission('Finance')

def can_view_data():
    """Check if current user can view data (any authenticated user)."""
    return has_permission('Helpdesk')

def can_process_single_payments():
    """Check if current user can process single payments (Helpdesk or higher)."""
    return has_permission('Helpdesk')

def can_manage_batch_payments():
    """Check if current user can manage batch payments (Finance or Admin).""" 
    return has_permission('Finance')

def can_manage_payment_plans():
    """Check if current user can manage payment plans (Finance or Admin)."""
    return has_permission('Finance')

def can_view_logs():
    """Check if current user can view system logs (Finance or Admin)."""
    return has_permission('Finance')

def can_export_data():
    """Check if current user can export data (Finance or Admin)."""
    return has_permission('Finance')