"""
Access control module for LucyDOM interface.
Handles user access management and permission checks.
"""

from typing import Dict, Any, List, Optional

class LucyDOMAccess:
    """
    Access control class for LucyDOM interface.
    Handles user access management and permission checks.
    """
    
    def __init__(self, currentUser: Dict[str, Any], _mandateId: int, _userId: int):
        """Initialize with user context."""
        self.currentUser = currentUser
        self._mandateId = _mandateId
        self._userId = _userId

    def _uam(self, table: str, recordset: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
        """
        Unified user access management function that filters data based on user privileges
        and adds access control attributes.
        
        Args:
            table: Name of the table
            recordset: Recordset to filter based on access rules
            
        Returns:
            Filtered recordset with access control attributes
        """
        userPrivilege = self.currentUser.get("privilege", "user")
        filtered_records = []
        
        # Apply filtering based on privilege
        if userPrivilege == "sysadmin":
            filtered_records = recordset  # System admins see all records
        elif userPrivilege == "admin":
            # Admins see records in their mandate
            filtered_records = [r for r in recordset if r.get("_mandateId") == self._mandateId]
        else:  # Regular users
            # For prompts, users can see all prompts from their mandate
            if table == "prompts":
                filtered_records = [r for r in recordset if r.get("_mandateId") == self._mandateId]
            else:
                # Users see only their records for other tables
                filtered_records = [r for r in recordset 
                    if r.get("_mandateId") == self._mandateId and r.get("_userId") == self._userId]
        
        # Add access control attributes to each record
        for record in filtered_records:
            record_id = record.get("id")
            
            # Set access control flags based on user permissions
            if table == "prompts":
                record["_hideView"] = False  # Everyone can view
                # Only allow modification of own prompts or if admin/sysadmin
                can_modify = (
                    userPrivilege == "sysadmin" or
                    (userPrivilege == "admin" and record.get("_mandateId") == self._mandateId) or
                    (record.get("_mandateId") == self._mandateId and record.get("_userId") == self._userId)
                )
                record["_hideEdit"] = not can_modify
                record["_hideDelete"] = not can_modify
            elif table == "files":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self._canModify("files", record_id)
                record["_hideDelete"] = not self._canModify("files", record_id)
                record["_hideDownload"] = not self._canModify("files", record_id)
            elif table == "workflows":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self._canModify("workflows", record_id)
                record["_hideDelete"] = not self._canModify("workflows", record_id)
            elif table == "workflowMessages":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self._canModify("workflows", record.get("workflowId"))
                record["_hideDelete"] = not self._canModify("workflows", record.get("workflowId"))
            elif table == "workflowLogs":
                record["_hideView"] = False  # Everyone can view
                record["_hideEdit"] = not self._canModify("workflows", record.get("workflowId"))
                record["_hideDelete"] = not self._canModify("workflows", record.get("workflowId"))
            else:
                # Default access control for other tables
                record["_hideView"] = False
                record["_hideEdit"] = not self._canModify(table, record_id)
                record["_hideDelete"] = not self._canModify(table, record_id)
        
        return filtered_records

    def _canModify(self, table: str, recordId: Optional[int] = None) -> bool:
        """
        Checks if the current user can modify (create/update/delete) records in a table.
        
        Args:
            table: Name of the table
            recordId: Optional record ID for specific record check
            
        Returns:
            Boolean indicating permission
        """
        userPrivilege = self.currentUser.get("privilege", "user")
        
        # System admins can modify anything
        if userPrivilege == "sysadmin":
            return True
            
        # For regular users and admins, check specific cases
        if recordId is not None:
            # Get the record to check ownership
            records = self.db.getRecordset(table, recordFilter={"id": recordId})
            if not records:
                return False
                
            record = records[0]
            
            # Admins can modify anything in their mandate
            if userPrivilege == "admin" and record.get("_mandateId") == self._mandateId:
                return True
                
            # Regular users can only modify their own records
            if (record.get("_mandateId") == self._mandateId and 
                record.get("_userId") == self._userId):
                return True
                
            return False
        else:
            # For general modification permission (e.g., create)
            # Admins can create anything in their mandate
            if userPrivilege == "admin":
                return True
                
            # Regular users can create in most tables
            return True