from rest_framework import permissions

from apps.workspaces.models import Workspace
from apps.workspaces.services import (
    CLIENTS_CREATE,
    CLIENTS_DELETE,
    CLIENTS_EDIT,
    CLIENTS_VIEW,
    can_delete_workspace_object,
    has_workspace_capability,
)


class IsClientWorkspaceMember(permissions.BasePermission):
    """
    Applies capability-based access checks for client resources.
    """

    message = "You do not have permission to access this client."

    def has_permission(self, request, view):
        if not request.user.is_authenticated:
            return False

        if view.action == "create":
            workspace_id = request.data.get("workspace_id")
            if not workspace_id:
                return False
            workspace = Workspace.objects.filter(id=workspace_id, is_deleted=False).first()
            return bool(
                workspace and has_workspace_capability(request.user, workspace, CLIENTS_CREATE)
            )

        return True

    def has_object_permission(self, request, view, obj):
        if not request.user.is_authenticated:
            return False

        capability = {
            "retrieve": CLIENTS_VIEW,
            "list": CLIENTS_VIEW,
            "update": CLIENTS_EDIT,
            "partial_update": CLIENTS_EDIT,
            "destroy": CLIENTS_DELETE,
        }.get(view.action, CLIENTS_VIEW)
        if view.action == "destroy":
            return can_delete_workspace_object(request.user, obj, CLIENTS_DELETE)
        return has_workspace_capability(request.user, obj.workspace, capability)