dashboard/backend/src/controllers/permission.controller.ts

import { Request, Response } from 'express';
import { permissionService } from '../services/permission.service';
import logger from '../utils/logger';

class PermissionController {
  /**
   * GET /api/permissions/me
   * Returns the current user's effective permissions.
   */
  async getMyPermissions(req: Request, res: Response): Promise<void> {
    try {
      const groups: string[] = req.user?.groups ?? [];
      const isAdmin = groups.includes('dashboard_admin');

      let permissions: string[];
      if (isAdmin) {
        // Admin gets all permissions
        const matrix = await permissionService.getMatrix();
        permissions = matrix.permissions.map(p => p.id);
      } else {
        permissions = permissionService.getEffectivePermissions(groups);
      }

      res.json({
        success: true,
        data: {
          permissions,
          maintenance: permissionService.getMaintenanceFlags(),
          isAdmin,
        },
      });
    } catch (error) {
      logger.error('Failed to get user permissions', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Laden der Berechtigungen' });
    }
  }

  /**
   * GET /api/admin/permissions/matrix
   * Returns the full permission matrix for the admin UI.
   */
  async getMatrix(_req: Request, res: Response): Promise<void> {
    try {
      const matrix = await permissionService.getMatrix();
      res.json({ success: true, data: matrix });
    } catch (error) {
      logger.error('Failed to get permission matrix', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Laden der Berechtigungsmatrix' });
    }
  }

  /**
   * PUT /api/admin/permissions/group/:groupName
   * Sets all permissions for a given Authentik group.
   */
  async setGroupPermissions(req: Request, res: Response): Promise<void> {
    try {
      const groupName = req.params.groupName as string;
      const { permissions } = req.body;

      if (!Array.isArray(permissions)) {
        res.status(400).json({ success: false, message: 'permissions must be an array' });
        return;
      }

      await permissionService.setGroupPermissions(
        groupName,
        permissions,
        req.user!.id
      );

      res.json({ success: true, message: 'Berechtigungen aktualisiert' });
    } catch (error) {
      logger.error('Failed to set group permissions', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Speichern der Berechtigungen' });
    }
  }

  /**
   * PUT /api/admin/permissions/bulk
   * Bulk-update permissions for multiple groups in one request.
   * Body: { updates: [{ group: string, permissions: string[] }] }
   */
  async setBulkPermissions(req: Request, res: Response): Promise<void> {
    try {
      const { updates } = req.body;

      if (!Array.isArray(updates)) {
        res.status(400).json({ success: false, message: 'updates must be an array' });
        return;
      }

      for (const u of updates) {
        if (typeof u.group !== 'string' || !Array.isArray(u.permissions)) {
          res.status(400).json({ success: false, message: 'Each update must have group (string) and permissions (array)' });
          return;
        }
      }

      await permissionService.setMultipleGroupPermissions(updates, req.user!.id);
      res.json({ success: true, message: 'Berechtigungen aktualisiert' });
    } catch (error) {
      logger.error('Failed to set bulk permissions', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Speichern der Berechtigungen' });
    }
  }

  /**
   * GET /api/admin/permissions/groups
   * Returns all known Authentik groups from the permission table.
   */
  async getGroups(_req: Request, res: Response): Promise<void> {
    try {
      const groups = await permissionService.getKnownGroups();
      res.json({ success: true, data: groups });
    } catch (error) {
      logger.error('Failed to get groups', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Laden der Gruppen' });
    }
  }

  /**
   * GET /api/admin/permissions/unknown-groups
   * Returns Authentik groups found in users table but not in the permission matrix.
   */
  async getUnknownGroups(_req: Request, res: Response): Promise<void> {
    try {
      const groups = await permissionService.getUnknownGroups();
      res.json({ success: true, data: groups });
    } catch (error) {
      logger.error('Failed to get unknown groups', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Laden der unbekannten Gruppen' });
    }
  }

  /**
   * PUT /api/admin/permissions/maintenance/:featureGroupId
   * Toggles maintenance mode for a feature group.
   */
  async setMaintenanceFlag(req: Request, res: Response): Promise<void> {
    try {
      const featureGroupId = req.params.featureGroupId as string;
      const { active } = req.body;

      if (typeof active !== 'boolean') {
        res.status(400).json({ success: false, message: 'active must be a boolean' });
        return;
      }

      await permissionService.setMaintenanceFlag(featureGroupId, active);
      res.json({ success: true, message: 'Wartungsmodus aktualisiert' });
    } catch (error) {
      logger.error('Failed to set maintenance flag', { error });
      res.status(500).json({ success: false, message: 'Fehler beim Setzen des Wartungsmodus' });
    }
  }
}

export default new PermissionController();