const sameTenant = (actor, resource) => actor.role === 'super_admin' || actor.tenant_id === resource.tenant_id;

const canReadUser = (actor, targetUser) => {
  if (!actor || !targetUser || !sameTenant(actor, targetUser)) return false;
  if (actor.role === 'super_admin' || actor.role === 'admin') return true;
  if (actor.role === 'agent') return targetUser.id === actor.id;
  if (actor.role === 'manager') {
    return targetUser.id === actor.id || Boolean(actor.team_id && targetUser.team_id === actor.team_id);
  }
  return false;
};

const canUpdateUser = (actor, targetUser) => {
  if (!actor || !targetUser || !sameTenant(actor, targetUser)) return false;
  if (actor.id === targetUser.id) return true;
  if (actor.role === 'super_admin' || actor.role === 'admin') return true;
  if (actor.role === 'manager') {
    return Boolean(actor.team_id && targetUser.team_id === actor.team_id && targetUser.role === 'agent');
  }
  return false;
};

const canManageUserStatus = (actor) => actor.role === 'super_admin' || actor.role === 'admin';
const canChangeUserEmail = (actor, targetUser) => actor.id === targetUser.id || actor.role === 'super_admin' || actor.role === 'admin';
const canManageUserRoleOrTeam = (actor) => actor.role === 'super_admin' || actor.role === 'admin';

const canReadAttendance = (actor, attendance) => {
  if (!actor || !attendance || !sameTenant(actor, attendance)) return false;
  if (actor.role === 'super_admin' || actor.role === 'admin') return true;
  if (actor.role === 'agent') return attendance.user_id === actor.id;
  if (actor.role === 'manager') return Boolean(actor.team_id && attendance.team_id === actor.team_id);
  return false;
};

module.exports = {
  canReadUser,
  canUpdateUser,
  canManageUserStatus,
  canChangeUserEmail,
  canManageUserRoleOrTeam,
  canReadAttendance,
};