from ninja import Router, Query
from django.shortcuts import get_object_or_404
from accounts.models import User
from authorize.models import WebsiteAccessRequest, ResumeDetailAccessRequest
from authorize.schemas import ResumeAccessRequestIn, AccessRequestIn, AuthorizeIn
from resumes.models import ResumeDetail
from websites.models import Website
from utils.auth import jwt_auth
from utils.permissions import manager_required, login_required
from logs.models import LogEntry

website_authorize_router = Router(tags=["网站(简历一般信息)授权管理"])


@website_authorize_router.post("/authorize", auth=jwt_auth, summary="分管手动授权网站[分管]",
                               description="分管理授权普通用户访问指定网站")
@manager_required
def authorize_user(request, data: AuthorizeIn):
    manager = request.user
    target_user = get_object_or_404(User, id=data.user_id)

    if target_user.role != "user":
        return {"success": False, "message": "只能授权给普通用户"}

    managed_ids = set(manager.managed_websites.values_list("id", flat=True))
    for wid in data.website_ids:
        if wid not in managed_ids:
            return {"success": False, "message": f"无权授权网站ID：{wid}"}

    target_user.authorized_websites.add(*data.website_ids)

    WebsiteAccessRequest.objects.filter(user=target_user, website_id__in=data.website_ids).update(status="approved")

    for wid in data.website_ids:
        LogEntry.objects.create(
            user=manager,
            action="manual_grant_website",
            target_type="website",
            target_id=wid,
            message=f"手动授权 {target_user.username} 访问网站"
        )

    return {
        "success": True,
        "message": f"已授权 {target_user.username} 访问 {len(data.website_ids)} 个网站",
    }


@website_authorize_router.post("/apply", auth=jwt_auth, summary="申请网站授权[普]",
                               description="普通用户发起网站访问申请")
@login_required
def request_access(request, data: AccessRequestIn):
    user = request.user
    site = get_object_or_404(Website, id=data.website_id)

    if WebsiteAccessRequest.objects.filter(user=user, website=site, status="pending").exists():
        return {"success": False, "message": "您已申请，正在等待审批"}

    WebsiteAccessRequest.objects.create(user=user, website=site, reason=data.reason or "")

    LogEntry.objects.create(
        user=user,
        action="apply_website",
        target_type="website",
        target_id=site.id,
        message="申请访问网站"
    )

    return {"success": True, "message": "申请已提交，等待分管理审批"}


@website_authorize_router.get("/pending", auth=jwt_auth, summary="待审批列表[分管]",
                              description="分管理查看自己负责的网站的待审批访问申请")
@manager_required
def list_pending_requests(request):
    manager = request.user
    managed_ids = manager.managed_websites.values_list("id", flat=True)

    requests = WebsiteAccessRequest.objects.filter(website_id__in=managed_ids, status="pending")

    return {
        "success": True,
        "items": [
            {
                "id": r.id,
                "user": r.user.username,
                "website": r.website.name,
                "reason": r.reason,
                "created_at": r.created_at,
            }
            for r in requests
        ]
    }


@website_authorize_router.post("/approve", auth=jwt_auth, summary="审批网站授权[分管]",
                               description="分管理审批网站访问申请（通过或拒绝）")
@manager_required
def approve_request(request, request_id: int = Query(...), approve: bool = Query(True)):
    r = get_object_or_404(WebsiteAccessRequest, id=request_id)

    if r.website not in request.user.managed_websites.all():
        return {"success": False, "message": "无权审批此申请"}

    r.status = "approved" if approve else "rejected"
    r.save()

    if approve:
        r.user.authorized_websites.add(r.website)

    LogEntry.objects.create(
        user=request.user,
        action="approve_website",
        target_type="website",
        target_id=r.website.id,
        message=f"审批网站：{r.user.username} -> {r.status}"
    )

    return {"success": True, "message": f"已{'通过' if approve else '拒绝'} {r.user.username} 的访问申请"}


@website_authorize_router.get("/my-sites", auth=jwt_auth, summary="我的网站列表[普]",
                              description="展示当前用户可申请与已授权的网站列表，并标记授权状态")
@login_required
def list_user_sites_with_status(request):
    user = request.user

    if not user.is_user():
        return {"success": False, "message": "仅普通用户可访问"}

    if not user.source_manager:
        return {"success": False, "message": "您尚未绑定所属分管理，无法申请网站"}

    # 可申请的网站（所属分管理可管理）
    manageable_sites = user.source_manager.managed_websites.all()
    authorized_site_ids = set(user.authorized_websites.values_list("id", flat=True))

    websites = []
    for site in manageable_sites:
        websites.append({
            "id": site.id,
            "name": site.name,
            "db_alias": site.db_alias,
            "authorized": site.id in authorized_site_ids
        })

    return {"success": True, "websites": websites}