"""
Custom permission classes for role-based access control.
"""

from rest_framework import permissions


class IsAdmin(permissions.BasePermission):
    """
    Permission class to check if user is an admin.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'ADMIN'


class IsDoctor(permissions.BasePermission):
    """
    Permission class to check if user is a doctor.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'DOCTOR'


class IsNurse(permissions.BasePermission):
    """
    Permission class to check if user is a nurse.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'NURSE'


class IsABATherapist(permissions.BasePermission):
    """
    Permission class to check if user is an ABA therapist.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'ABA'


class IsOTTherapist(permissions.BasePermission):
    """
    Permission class to check if user is an OT therapist.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'OT'


class IsSLPTherapist(permissions.BasePermission):
    """
    Permission class to check if user is an SLP therapist.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'SLP'


class IsFrontDesk(permissions.BasePermission):
    """
    Permission class to check if user is front desk staff.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'FRONT_DESK'


class IsFinance(permissions.BasePermission):
    """
    Permission class to check if user is finance staff.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role == 'FINANCE'


class IsClinicalStaff(permissions.BasePermission):
    """
    Permission class to check if user is clinical staff (Doctor, Nurse, or Therapist).
    """
    
    def has_permission(self, request, view):
        clinical_roles = ['DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
        return request.user and request.user.is_authenticated and request.user.role in clinical_roles


class IsAdminOrReadOnly(permissions.BasePermission):
    """
    Permission class to allow read-only access to all, but write access only to admins.
    """
    
    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS:
            return request.user and request.user.is_authenticated
        return request.user and request.user.is_authenticated and request.user.role == 'ADMIN'


class CanAccessPatient(permissions.BasePermission):
    """
    Permission class to check if user can access a specific patient.
    Checks tenant ownership.
    """
    
    def has_object_permission(self, request, view, obj):
        # Check if user's tenant matches patient's tenant
        return obj.tenant == request.user.tenant


class CanManageFinance(permissions.BasePermission):
    """
    Permission class for finance operations.
    Only admin and finance staff can manage finances.
    """
    
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated and request.user.role in ['ADMIN', 'FINANCE']


class CanBookAppointment(permissions.BasePermission):
    """
    Permission class for booking appointments.
    Front desk, clinical staff, and admins can book appointments.
    """
    
    def has_permission(self, request, view):
        allowed_roles = ['ADMIN', 'FRONT_DESK', 'DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
        return request.user and request.user.is_authenticated and request.user.role in allowed_roles


class CanManageReferrals(permissions.BasePermission):
    """
    Permission class for managing referrals.
    Clinical staff and admins can manage referrals.
    """
    
    def has_permission(self, request, view):
        clinical_roles = ['ADMIN', 'DOCTOR', 'NURSE', 'ABA', 'OT', 'SLP']
        return request.user and request.user.is_authenticated and request.user.role in clinical_roles


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Permission class to allow owners to edit, others to read only.
    """
    
    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any authenticated user
        if request.method in permissions.SAFE_METHODS:
            return True
        
        # Write permissions are only allowed to the owner
        if hasattr(obj, 'created_by'):
            return obj.created_by == request.user
        if hasattr(obj, 'user'):
            return obj.user == request.user
        
        return False


class IsSameTenant(permissions.BasePermission):
    """
    Permission class to ensure user can only access data from their tenant.
    """
    
    def has_object_permission(self, request, view, obj):
        if hasattr(obj, 'tenant'):
            return obj.tenant == request.user.tenant
        return True