# === SETUP GROUPS MANAGEMENT COMMAND ===
# Creates two permission groups: "Admin" and "Work Logger".
# Run this once after deploying: python manage.py setup_groups
#
# "Admin" group gets full access to all core models.
# "Work Logger" group can add/change/view WorkLogs, and view-only
# access to Projects, Workers, and Teams.

from django.core.management.base import BaseCommand
from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
from core.models import (
    Project, Worker, Team, WorkLog, PayrollRecord,
    Loan, PayrollAdjustment, ExpenseReceipt, ExpenseLineItem
)


class Command(BaseCommand):
    help = 'Creates the Admin and Work Logger permission groups'

    def handle(self, *args, **options):
        # --- Create the "Admin" group ---
        # Admins get every permission on every core model
        admin_group, created = Group.objects.get_or_create(name='Admin')
        if created:
            self.stdout.write(self.style.SUCCESS('Created "Admin" group'))
        else:
            self.stdout.write('Admin group already exists — updating permissions')

        # Get all permissions for our core models
        core_models = [
            Project, Worker, Team, WorkLog, PayrollRecord,
            Loan, PayrollAdjustment, ExpenseReceipt, ExpenseLineItem
        ]
        all_permissions = Permission.objects.filter(
            content_type__in=[
                ContentType.objects.get_for_model(model)
                for model in core_models
            ]
        )
        admin_group.permissions.set(all_permissions)
        self.stdout.write(f'  Assigned {all_permissions.count()} permissions to Admin group')

        # --- Create the "Work Logger" group ---
        # Work Loggers can add/change/view WorkLogs, and view-only for
        # Projects, Workers, and Teams
        logger_group, created = Group.objects.get_or_create(name='Work Logger')
        if created:
            self.stdout.write(self.style.SUCCESS('Created "Work Logger" group'))
        else:
            self.stdout.write('Work Logger group already exists — updating permissions')

        logger_permissions = Permission.objects.filter(
            # WorkLog: add, change, view (but not delete)
            content_type=ContentType.objects.get_for_model(WorkLog),
            codename__in=['add_worklog', 'change_worklog', 'view_worklog']
        ) | Permission.objects.filter(
            # Projects: view only
            content_type=ContentType.objects.get_for_model(Project),
            codename='view_project'
        ) | Permission.objects.filter(
            # Workers: view only
            content_type=ContentType.objects.get_for_model(Worker),
            codename='view_worker'
        ) | Permission.objects.filter(
            # Teams: view only
            content_type=ContentType.objects.get_for_model(Team),
            codename='view_team'
        )

        logger_group.permissions.set(logger_permissions)
        self.stdout.write(f'  Assigned {logger_permissions.count()} permissions to Work Logger group')

        self.stdout.write(self.style.SUCCESS('Done! Permission groups are ready.'))