<?php

declare(strict_types=1);

namespace App\Scolarite\Infrastructure\Security;

use App\Administration\Domain\Model\User\Role;
use App\Administration\Infrastructure\Security\SecurityUser;

use function in_array;

use Override;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;

/**
 * Voter pour les autorisations sur l'emploi du temps.
 *
 * Seuls ADMIN et SUPER_ADMIN peuvent gérer l'EDT.
 * PROF, VIE_SCOLAIRE et ELEVE peuvent le consulter.
 *
 * @extends Voter<string, null>
 */
final class ScheduleSlotVoter extends Voter
{
    public const string VIEW = 'SCHEDULE_VIEW';
    public const string CREATE = 'SCHEDULE_CREATE';
    public const string EDIT = 'SCHEDULE_EDIT';
    public const string DELETE = 'SCHEDULE_DELETE';

    private const array SUPPORTED_ATTRIBUTES = [
        self::VIEW,
        self::CREATE,
        self::EDIT,
        self::DELETE,
    ];

    #[Override]
    protected function supports(string $attribute, mixed $subject): bool
    {
        return in_array($attribute, self::SUPPORTED_ATTRIBUTES, true);
    }

    #[Override]
    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
    {
        $user = $token->getUser();

        if (!$user instanceof SecurityUser) {
            return false;
        }

        $roles = $user->getRoles();

        return match ($attribute) {
            self::VIEW => $this->canView($roles),
            self::CREATE, self::EDIT, self::DELETE => $this->canManage($roles),
            default => false,
        };
    }

    /** @param string[] $roles */
    private function canView(array $roles): bool
    {
        return $this->hasAnyRole($roles, [
            Role::SUPER_ADMIN->value,
            Role::ADMIN->value,
            Role::PROF->value,
            Role::VIE_SCOLAIRE->value,
            Role::ELEVE->value,
            Role::PARENT->value,
        ]);
    }

    /** @param string[] $roles */
    private function canManage(array $roles): bool
    {
        return $this->hasAnyRole($roles, [
            Role::SUPER_ADMIN->value,
            Role::ADMIN->value,
        ]);
    }

    /**
     * @param string[] $userRoles
     * @param string[] $allowedRoles
     */
    private function hasAnyRole(array $userRoles, array $allowedRoles): bool
    {
        foreach ($userRoles as $role) {
            if (in_array($role, $allowedRoles, true)) {
                return true;
            }
        }

        return false;
    }
}