from rest_framework import serializers

from api.rbac.models import OrganizationRole, RolePermission, UserPermission, UserRole


class RolePermissionSerializer(serializers.ModelSerializer):
    class Meta:
        model = RolePermission
        fields = ['id', 'codename', 'descripcion', 'modulo']


class OrganizationRoleSerializer(serializers.ModelSerializer):
    permissions = RolePermissionSerializer(many=True, read_only=True)
    permission_ids = serializers.PrimaryKeyRelatedField(
        queryset=RolePermission.objects.all(),
        many=True,
        write_only=True,
        source='permissions',
        required=False,
    )
    user_count = serializers.IntegerField(read_only=True)

    class Meta:
        model = OrganizationRole
        fields = [
            'id', 'nombre', 'descripcion', 'is_admin_role',
            'permissions', 'permission_ids', 'user_count',
            'created_at', 'updated_at',
        ]
        read_only_fields = ['id', 'is_admin_role', 'created_at', 'updated_at']


class OrganizationRoleWriteSerializer(serializers.ModelSerializer):
    """Serializer para crear/editar roles — recibe lista de IDs de permisos."""
    permission_ids = serializers.PrimaryKeyRelatedField(
        queryset=RolePermission.objects.all(),
        many=True,
        source='permissions',
        required=False,
    )

    class Meta:
        model = OrganizationRole
        fields = ['nombre', 'descripcion', 'permission_ids']

    def create(self, validated_data):
        perms = validated_data.pop('permissions', [])
        role = OrganizationRole.objects.create(**validated_data)
        role.permissions.set(perms)
        return role

    def update(self, instance, validated_data):
        perms = validated_data.pop('permissions', None)
        for attr, value in validated_data.items():
            setattr(instance, attr, value)
        instance.save()
        if perms is not None:
            instance.permissions.set(perms)
        return instance


class _UserMinimalSerializer(serializers.Serializer):
    id = serializers.UUIDField()
    username = serializers.CharField()
    email = serializers.EmailField()
    first_name = serializers.CharField()
    last_name = serializers.CharField()


class _RoleMinimalSerializer(serializers.Serializer):
    id = serializers.UUIDField()
    nombre = serializers.CharField()
    descripcion = serializers.CharField()


class UserRoleSerializer(serializers.ModelSerializer):
    user = _UserMinimalSerializer(read_only=True)
    role = _RoleMinimalSerializer(read_only=True)
    # write
    user_id = serializers.UUIDField(write_only=True, source='user')
    role_id = serializers.UUIDField(write_only=True, source='role')

    class Meta:
        model = UserRole
        fields = ['id', 'user', 'user_id', 'role', 'role_id', 'created_at']
        read_only_fields = ['id', 'created_at']


class UserPermissionSerializer(serializers.ModelSerializer):
    user = _UserMinimalSerializer(read_only=True)
    permission = RolePermissionSerializer(read_only=True)
    # write
    user_id = serializers.UUIDField(write_only=True, source='user')
    permission_id = serializers.IntegerField(write_only=True, source='permission')

    class Meta:
        model = UserPermission
        fields = ['id', 'user', 'user_id', 'permission', 'permission_id', 'granted', 'created_at']
        read_only_fields = ['id', 'created_at']


class MyPermissionsSerializer(serializers.Serializer):
    """Respuesta de /rbac/my-permissions/ — permisos efectivos del usuario autenticado."""
    permissions = serializers.ListField(child=serializers.CharField())
    roles = serializers.ListField(child=serializers.CharField())