/**
 * Frontend RBAC Utility
 * Client-side permission checking to match server-side RBAC system
 */

// Define the same permissions as the server
export const PERMISSIONS = {
  // General tenant management
  'tenant.view': 'View tenant information',
  'tenant.edit': 'Edit basic tenant settings',
  
  // Branding permissions
  'branding.view': 'View branding settings',
  'branding.edit': 'Edit branding and appearance',
  
  // Security permissions
  'security.view': 'View security settings',
  'security.edit': 'Edit security settings and IP restrictions',
  
  // User management permissions
  'users.view': 'View user list',
  'users.create': 'Create new users',
  'users.edit': 'Edit user details',
  'users.delete': 'Delete or deactivate users',
  'users.manage_roles': 'Change user roles',
  
  // Authentication permissions
  'auth.view': 'View authentication settings',
  'auth.edit': 'Edit authentication provider settings',
  
  // Operational permissions
  'dashboard.view': 'View dashboard',
  'devices.view': 'View devices',
  'devices.manage': 'Add, edit, delete devices',
  'detections.view': 'View detections',
  'alerts.view': 'View alerts',
  'alerts.manage': 'Manage alert configurations',
  'debug.access': 'Access debug information'
};

// Define roles and their permissions (must match server-side)
export const ROLES = {
  // Full tenant administrator
  'admin': [
    'tenant.view', 'tenant.edit',
    'branding.view', 'branding.edit',
    'security.view', 'security.edit',
    'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
    'auth.view', 'auth.edit',
    'dashboard.view',
    'devices.view', 'devices.manage',
    'detections.view',
    'alerts.view', 'alerts.manage',
    'debug.access'
  ],
  
  // User management specialist
  'user_admin': [
    'tenant.view',
    'users.view', 'users.create', 'users.edit', 'users.delete', 'users.manage_roles',
    'dashboard.view',
    'devices.view',
    'detections.view',
    'alerts.view'
  ],
  
  // Security specialist
  'security_admin': [
    'tenant.view',
    'security.view', 'security.edit',
    'auth.view', 'auth.edit',
    'users.view',
    'dashboard.view',
    'devices.view',
    'detections.view',
    'alerts.view'
  ],
  
  // Branding/marketing specialist
  'branding_admin': [
    'tenant.view',
    'branding.view', 'branding.edit',
    'dashboard.view',
    'devices.view',
    'detections.view',
    'alerts.view'
  ],
  
  // Operations manager
  'operator': [
    'tenant.view',
    'dashboard.view',
    'devices.view', 'devices.manage',
    'detections.view',
    'alerts.view', 'alerts.manage'
  ],
  
  // Read-only user
  'viewer': [
    'dashboard.view',
    'devices.view',
    'detections.view',
    'alerts.view'
  ]
};

/**
 * Check if a user has a specific permission
 * @param {string} userRole - The user's role
 * @param {string} permission - The permission to check
 * @returns {boolean} True if the user has the permission
 */
export function hasPermission(userRole, permission) {
  if (!userRole || !permission) return false;
  
  const rolePermissions = ROLES[userRole];
  if (!rolePermissions) return false;
  
  return rolePermissions.includes(permission);
}

/**
 * Check if a user has any of the provided permissions
 * @param {string} userRole - The user's role
 * @param {string[]} permissions - Array of permissions to check
 * @returns {boolean} True if the user has at least one permission
 */
export function hasAnyPermission(userRole, permissions) {
  if (!userRole || !permissions || !Array.isArray(permissions)) return false;
  
  return permissions.some(permission => hasPermission(userRole, permission));
}

/**
 * Check if a user has all of the provided permissions
 * @param {string} userRole - The user's role
 * @param {string[]} permissions - Array of permissions to check
 * @returns {boolean} True if the user has all permissions
 */
export function hasAllPermissions(userRole, permissions) {
  if (!userRole || !permissions || !Array.isArray(permissions)) return false;
  
  return permissions.every(permission => hasPermission(userRole, permission));
}

/**
 * Get all permissions for a role
 * @param {string} userRole - The user's role
 * @returns {string[]} Array of permissions for the role
 */
export function getRolePermissions(userRole) {
  if (!userRole) return [];
  
  return ROLES[userRole] || [];
}

/**
 * Check if user can access settings at all
 * @param {string} userRole - The user's role
 * @returns {boolean} True if user can access any settings
 */
export function canAccessSettings(userRole) {
  return hasAnyPermission(userRole, [
    'tenant.view',
    'branding.view',
    'security.view',
    'auth.view',
    'users.view'
  ]);
}