from rest_framework import permissions

from apps.workspaces.models import Workspace, WorkspaceMembership
from apps.workspaces.services import (
    WORKSPACE_EDIT,
    WORKSPACE_MEMBERS_CHANGE_ROLE,
    WORKSPACE_VIEW,
    has_workspace_capability,
)


class IsWorkspaceOwner(permissions.BasePermission):
    """
    Permission check: 
    - User must be the explicit 'owner' on the Workspace model.
    - OR User must have a WorkspaceMembership with the 'OWNER' role.
    """
    message = "Access denied. You must be the Workspace Owner to perform this action."

    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False

        if isinstance(obj, Workspace):
            workspace = obj
        elif isinstance(obj, WorkspaceMembership):
            workspace = obj.workspace
        elif hasattr(obj, "workspace"):
            workspace = obj.workspace
        else:
            return False

        return workspace.owner_id == request.user.id


class IsWorkspaceAdmin(permissions.BasePermission):
    """
    Permission check:
    - User's role in the workspace is either 'ADMIN' or 'OWNER'.
    """
    message = "Access denied. You must be a Workspace Admin or Owner to perform this action."

    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False

        if isinstance(obj, Workspace):
            workspace = obj
        elif isinstance(obj, WorkspaceMembership):
            workspace = obj.workspace
        elif hasattr(obj, "workspace"):
            workspace = obj.workspace
        else:
            return False

        return has_workspace_capability(request.user, workspace, WORKSPACE_EDIT)


class IsWorkspaceMember(permissions.BasePermission):
    """
    Permission check:
    - User's role in the workspace is 'OWNER', 'ADMIN', or 'MEMBER'.
    """
    message = "Access denied. You must be an active member of this workspace."

    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False

        if isinstance(obj, Workspace):
            workspace = obj
        elif isinstance(obj, WorkspaceMembership):
            workspace = obj.workspace
        elif hasattr(obj, "workspace"):
            workspace = obj.workspace
        else:
            return False

        return has_workspace_capability(request.user, workspace, WORKSPACE_VIEW)


class CanWorkspaceManageMembers(permissions.BasePermission):
    message = "Access denied. You do not have permission to manage workspace members."

    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False

        if isinstance(obj, Workspace):
            workspace = obj
        elif isinstance(obj, WorkspaceMembership):
            workspace = obj.workspace
        elif hasattr(obj, "workspace"):
            workspace = obj.workspace
        else:
            return False

        return has_workspace_capability(
            request.user,
            workspace,
            WORKSPACE_MEMBERS_CHANGE_ROLE,
        )