"""
Permission decorators and mixins for role-based access control.

This module provides reusable components for protecting views based on
user authentication status and participant roles.
"""

from functools import wraps
from django.contrib.auth.decorators import login_required
from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
from django.http import HttpResponseRedirect
from django.shortcuts import redirect
from django.contrib import messages
from django.utils.http import url_has_allowed_host_and_scheme


def _safe_referer_redirect(request, fallback='/'):
    """Safely redirect to HTTP_REFERER if it's on the same host, otherwise use fallback."""
    referer = request.META.get('HTTP_REFERER', fallback)
    if url_has_allowed_host_and_scheme(referer, allowed_hosts={request.get_host()}):
        return HttpResponseRedirect(referer)
    return HttpResponseRedirect(fallback)


# Decorators for function-based views

def contributor_required(view_func):
    """
    Decorator that requires user to be logged in with a Participant record.
    All authenticated users with participants are contributors by default.
    """
    @wraps(view_func)
    @login_required
    def wrapper(request, *args, **kwargs):
        if not hasattr(request.user, 'participant'):
            messages.error(request, 'You need a participant profile to access this page.')
            return redirect('home')
        
        if not request.user.participant.is_active:
            messages.error(request, 'Your participant profile is inactive.')
            return redirect('home')
            
        return view_func(request, *args, **kwargs)
    return wrapper


def reviewer_required(view_func):
    """
    Decorator that requires user to have reviewer or admin role.
    """
    @wraps(view_func)
    @login_required
    def wrapper(request, *args, **kwargs):
        if not hasattr(request.user, 'participant'):
            messages.error(request, 'You need a participant profile to access this page.')
            return redirect('home')
            
        if not request.user.participant.is_reviewer:
            messages.error(request, 'You need reviewer permissions to access this page.')
            return redirect('home')
            
        return view_func(request, *args, **kwargs)
    return wrapper


def admin_required(view_func):
    """
    Decorator that requires user to have admin role.
    """
    @wraps(view_func)
    @login_required
    def wrapper(request, *args, **kwargs):
        if not hasattr(request.user, 'participant'):
            messages.error(request, 'You need a participant profile to access this page.')
            return redirect('home')
            
        if not request.user.participant.is_admin:
            messages.error(request, 'You need admin permissions to access this page.')
            return redirect('home')
            
        return view_func(request, *args, **kwargs)
    return wrapper


# Mixins for class-based views

class ContributorRequiredMixin(LoginRequiredMixin, UserPassesTestMixin):
    """
    Mixin that requires user to be logged in with a Participant record.
    """
    
    def test_func(self):
        """Check if user has an active participant profile."""
        return (
            hasattr(self.request.user, 'participant') and 
            self.request.user.participant.is_active
        )
    
    def handle_no_permission(self):
        """Show appropriate error message."""
        if not self.request.user.is_authenticated:
            return super().handle_no_permission()

        messages.error(self.request, 'You need an active participant profile to access this page.')
        return _safe_referer_redirect(self.request)


class ReviewerRequiredMixin(LoginRequiredMixin, UserPassesTestMixin):
    """
    Mixin that requires user to have reviewer or admin role.
    """
    
    def test_func(self):
        """Check if user has reviewer permissions."""
        return (
            hasattr(self.request.user, 'participant') and 
            self.request.user.participant.is_reviewer
        )
    
    def handle_no_permission(self):
        """Show appropriate error message."""
        if not self.request.user.is_authenticated:
            return super().handle_no_permission()

        messages.error(self.request, 'You need reviewer permissions to access this page.')
        return _safe_referer_redirect(self.request)


class AdminRequiredMixin(LoginRequiredMixin, UserPassesTestMixin):
    """
    Mixin that requires user to have admin role.
    """
    
    def test_func(self):
        """Check if user has admin permissions."""
        return (
            hasattr(self.request.user, 'participant') and 
            self.request.user.participant.is_admin
        )
    
    def handle_no_permission(self):
        """Show appropriate error message."""
        if not self.request.user.is_authenticated:
            return super().handle_no_permission()

        messages.error(self.request, 'You need admin permissions to access this page.')
        return _safe_referer_redirect(self.request)


class AdminRequiredSignupRedirectMixin(UserPassesTestMixin):
    """
    Mixin that requires user to have admin role.
    Redirects non-authenticated users to signup instead of login.
    """
    
    def test_func(self):
        """Check if user has admin permissions."""
        return (
            self.request.user.is_authenticated and
            hasattr(self.request.user, 'participant') and 
            self.request.user.participant.is_admin
        )
    
    def handle_no_permission(self):
        """Show appropriate error message and redirect."""
        from django.urls import reverse

        if not self.request.user.is_authenticated:
            messages.info(self.request, 'Please create an account to access this feature.')
            return redirect(reverse('account_signup') + '?next=' + self.request.path)

        messages.error(self.request, 'You need admin permissions to access this page.')
        return _safe_referer_redirect(self.request)


class OwnerOrAdminMixin(LoginRequiredMixin, UserPassesTestMixin):
    """
    Mixin that allows access to object owner or admin.
    Requires the view to have get_object() method.
    """
    owner_field = 'author'  # Override in subclass if different
    
    def test_func(self):
        """Check if user owns the object or is admin."""
        if not hasattr(self.request.user, 'participant'):
            return False
            
        # Admins can access everything
        if self.request.user.participant.is_admin:
            return True
            
        # Check ownership
        obj = self.get_object()
        owner = getattr(obj, self.owner_field, None)
        
        if hasattr(owner, 'user'):
            # Owner is a Participant with linked user
            return owner.user == self.request.user
        elif hasattr(owner, 'id'):
            # Owner is a Participant, check by participant
            return owner == self.request.user.participant
            
        return False
    
    def handle_no_permission(self):
        """Show appropriate error message."""
        if not self.request.user.is_authenticated:
            return super().handle_no_permission()

        messages.error(self.request, 'You can only edit your own content.')
        return _safe_referer_redirect(self.request)