from django.contrib import admin

from .models import OrganizationRole, RolePermission, UserPermission, UserRole


@admin.register(RolePermission)
class RolePermissionAdmin(admin.ModelAdmin):
    list_display = ('codename', 'modulo', 'descripcion')
    list_filter = ('modulo',)
    search_fields = ('codename', 'descripcion')
    ordering = ('modulo', 'codename')

    def get_readonly_fields(self, request, obj=None):
        # Al editar un permiso existente los campos son readonly para evitar inconsistencias
        if obj:
            return ('codename', 'modulo', 'descripcion')
        return ()

    def has_add_permission(self, request):
        return request.user.is_superuser

    def has_change_permission(self, request, obj=None):
        return request.user.is_superuser

    def has_delete_permission(self, request, obj=None):
        return request.user.is_superuser


class UserRoleInline(admin.TabularInline):
    model = UserRole
    extra = 0
    autocomplete_fields = ('user',)
    readonly_fields = ('created_at',)


@admin.register(OrganizationRole)
class OrganizationRoleAdmin(admin.ModelAdmin):
    list_display = ('nombre', 'organizacion', 'is_admin_role', 'permisos_count', 'usuarios_count')
    list_filter = ('organizacion', 'is_admin_role')
    search_fields = ('nombre', 'organizacion__nombre')
    filter_horizontal = ('permissions',)
    inlines = (UserRoleInline,)
    readonly_fields = ('created_at', 'updated_at')

    def permisos_count(self, obj):
        return obj.permissions.count()
    permisos_count.short_description = 'Permisos'

    def usuarios_count(self, obj):
        return obj.user_roles.count()
    usuarios_count.short_description = 'Usuarios'

    def has_add_permission(self, request):
        return request.user.is_superuser

    def has_delete_permission(self, request, obj=None):
        if obj and obj.is_admin_role:
            return False
        return request.user.is_superuser


@admin.register(UserRole)
class UserRoleAdmin(admin.ModelAdmin):
    list_display = ('user', 'role', 'organizacion', 'created_at')
    list_filter = ('role__organizacion', 'role__nombre')
    search_fields = ('user__username', 'user__email', 'role__nombre')
    autocomplete_fields = ('user',)
    readonly_fields = ('created_at',)

    def organizacion(self, obj):
        return obj.role.organizacion
    organizacion.short_description = 'Organización'

    def save_model(self, request, obj, form, change):
        # Bloquear remoción del rol admin_role al owner de la org
        if change and obj.role.is_admin_role:
            org = obj.role.organizacion
            if hasattr(org, 'owner') and org.owner == obj.user:
                from django.contrib import messages
                self.message_user(
                    request,
                    'No se puede remover el rol de administrador maestro al owner de la organización.',
                    level=messages.ERROR,
                )
                return
        super().save_model(request, obj, form, change)


@admin.register(UserPermission)
class UserPermissionAdmin(admin.ModelAdmin):
    list_display = ('user', 'permission', 'granted', 'organizacion', 'created_at')
    list_filter = ('granted', 'permission__modulo')
    search_fields = ('user__username', 'user__email', 'permission__codename')
    autocomplete_fields = ('user',)
    readonly_fields = ('created_at',)

    def organizacion(self, obj):
        return getattr(obj.user, 'organizacion', '—')
    organizacion.short_description = 'Organización'