<?php

/**
 * ============================================================
 *
 * @project   biiproject
 *
 * @author    Andika Debi Putra
 *
 * @email     andikadebiputra@gmail.com
 *
 * @website   https://biiproject.com
 *
 * @copyright Copyright (c) 2026 Andika Debi Putra
 * @license   Proprietary - All Rights Reserved
 *
 * @version   1.0.0
 *
 * @created   2026-05-01
 * ============================================================
 *
 * Unauthorized copying, modification, distribution, or use
 * of this file is strictly prohibited without prior written
 * permission from the author.
 * ============================================================
 */

namespace App\Http\Controllers\AccessControl;

use App\Models\Permission;
use App\Support\DataTable;
use Illuminate\Database\QueryException;
use Illuminate\Http\Request;
use Illuminate\Routing\Controller;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use Illuminate\Validation\Rule;

class PermissionManagementController extends Controller
{
    public function __construct()
    {
        // Middleware handled in web.php
    }

    // show all permissions with relations
    public function index(Request $request)
    {
        if (DataTable::isDataTableRequest($request)) {
            return $this->dataTable($request);
        }

        // render view with data
        return view('pages.access_control.permissions');
    }

    protected function dataTable(Request $request)
    {
        try {
            $query = Permission::query()->with(['roles:id,name', 'creator:id,email', 'updater:id,email']);
            $recordsTotal = Permission::count();
            $globalSearch = DataTable::globalSearch($request);

            $authUser = $request->user();
            $canManage = $authUser->can('manage access rights');

            if ($canManage) {
                $status = DataTable::columnSearch($request, 0);
                $name = DataTable::columnSearch($request, 1);
                $guard = DataTable::columnSearch($request, 2);
                $role = DataTable::columnSearch($request, 3);
            } else {
                $status = null;
                $name = DataTable::columnSearch($request, 0);
                $guard = DataTable::columnSearch($request, 1);
                $role = DataTable::columnSearch($request, 2);
            }

            if ($status) {
                $query->where('is_active', $status === 'active');
            }

            if ($name) {
                $query->where('name', 'like', "%{$name}%");
            }

            if ($guard) {
                $query->where('guard_name', 'like', "%{$guard}%");
            }

            if ($role) {
                $query->whereHas('roles', function ($roleQuery) use ($role) {
                    $roleQuery->where('name', 'like', "%{$role}%");
                });
            }

            if ($canManage) {
                $createdAt = DataTable::columnSearch($request, 4);
                $createdBy = DataTable::columnSearch($request, 5);
                $updatedAt = DataTable::columnSearch($request, 6);
                $updatedBy = DataTable::columnSearch($request, 7);
            } else {
                $createdAt = DataTable::columnSearch($request, 3);
                $createdBy = DataTable::columnSearch($request, 4);
                $updatedAt = DataTable::columnSearch($request, 5);
                $updatedBy = DataTable::columnSearch($request, 6);
            }

            if ($createdAt) {
                $query->whereDate('created_at', $createdAt);
            }

            if ($createdBy) {
                $query->whereHas('creator', function ($creatorQuery) use ($createdBy) {
                    $creatorQuery->where('email', 'like', "%{$createdBy}%");
                });
            }

            if ($updatedAt) {
                $query->whereDate('updated_at', $updatedAt);
            }

            if ($updatedBy) {
                $query->whereHas('updater', function ($updaterQuery) use ($updatedBy) {
                    $updaterQuery->where('email', 'like', "%{$updatedBy}%");
                });
            }

            if ($globalSearch) {
                $query->where(function ($searchQuery) use ($globalSearch) {
                    $searchQuery
                        ->where('name', 'like', "%{$globalSearch}%")
                        ->orWhere('guard_name', 'like', "%{$globalSearch}%")
                        ->orWhereHas('roles', function ($roleQuery) use ($globalSearch) {
                            $roleQuery->where('name', 'like', "%{$globalSearch}%");
                        })
                        ->orWhereHas('creator', function ($creatorQuery) use ($globalSearch) {
                            $creatorQuery->where('email', 'like', "%{$globalSearch}%");
                        })
                        ->orWhereHas('updater', function ($updaterQuery) use ($globalSearch) {
                            $updaterQuery->where('email', 'like', "%{$globalSearch}%");
                        });
                });
            }

            // Perform filtered count WITHOUT eager loading or ordering
            $countQuery = clone $query;
            $countQuery->setEagerLoads([]);
            $countQuery->orders = null;
            $recordsFiltered = $countQuery->count();
            [$orderIndex, $orderDirection] = DataTable::order($request, $canManage ? 4 : 3, 'desc');

            $sortColumn = match (true) {
                $canManage && $orderIndex === 0 => 'is_active',
                ($canManage && $orderIndex === 1) || (! $canManage && $orderIndex === 0) => 'name',
                ($canManage && $orderIndex === 2) || (! $canManage && $orderIndex === 1) => 'guard_name',
                ($canManage && $orderIndex === 4) || (! $canManage && $orderIndex === 3) => 'created_at',
                ($canManage && $orderIndex === 6) || (! $canManage && $orderIndex === 5) => 'updated_at',
                default => 'created_at',
            };

            $permissions = $query
                ->orderBy($sortColumn, $orderDirection)
                ->skip(DataTable::start($request))
                ->take(DataTable::length($request))
                ->get();

            $rows = $permissions->map(function (Permission $permission) use ($canManage) {
                $row = [];

                if ($canManage) {
                    $row[] = sprintf(
                        '<div class="form-check form-switch d-flex align-items-center gap-2"><input class="form-check-input permission-toggle" type="checkbox" %s data-id="%d" data-name="%s"><span class="status-label %s">%s</span></div>',
                        $permission->is_active ? 'checked' : '',
                        $permission->id,
                        e($permission->name),
                        $permission->is_active ? 'text-success' : 'text-danger',
                        $permission->is_active ? 'Active' : 'Inactive'
                    );
                }

                $roleNames = $permission->roles->pluck('name');
                $roleBadges = $roleNames->isNotEmpty()
                    ? $roleNames->map(fn ($role) => '<span class="badge badge-slate-pill">'.e($role).'</span>')->implode(' ')
                    : '-';

                $row[] = e($permission->name);
                $row[] = e($permission->guard_name);
                $row[] = $roleBadges;
                $row[] = e(format_datetime($permission->created_at));
                $row[] = e($permission->creator->email ?? 'System');
                $row[] = e(format_datetime($permission->updated_at));
                $row[] = e($permission->updater->email ?? '-');

                if ($canManage) {
                    $row[] = '<div class="text-end">'
                        .'<button class="btn btn-link btn-edit" data-id="'.$permission->id.'" data-name="'.e($permission->name).'" data-guard="'.e($permission->guard_name).'" data-created="'.e(format_datetime($permission->created_at)).'" data-created-by="'.e($permission->creator->email ?? 'System').'" data-updated-at="'.e(format_datetime($permission->updated_at)).'" data-updated-by="'.e($permission->updater->email ?? '-').'" data-bs-toggle="modal" data-bs-target="#editPermissionModal"><i class="bi bi-pencil"></i></button>'
                        .'<button class="btn btn-link text-danger btn-delete" data-id="'.$permission->id.'" data-name="'.e($permission->name).'"><i class="bi bi-trash"></i></button>'
                        .'</div>';
                }

                return $row;
            })->all();

            return DataTable::response($request, $recordsTotal, $recordsFiltered, $rows);
        } catch (\Exception $e) {
            Log::error('DataTable Error [PermissionManagement]: '.$e->getMessage());

            return DataTable::response($request, 0, 0, []);
        }
    }

    // create new permission
    public function store(Request $request)
    {
        // validate input fields
        $request->validate([
            'name' => [
                'required',
                'string',
                'min:3',
                'max:100',
                'regex:/^[a-zA-Z0-9_\-\.\/]+$/',
                Rule::unique('permissions', 'name')
                    ->where(fn ($query) => $query->where('guard_name', $request->guard_name)
                    ),
            ],
            'guard_name' => [
                'required',
                'string',
                'in:web,api',
            ],
        ], [
            'name.required' => __('Permission name is required.'),
            'name.regex' => __('Permission name contains invalid characters.'),
            'name.unique' => __('A permission with this Name & Guard combination already exists.'),
            'guard_name.required' => __('Guard is required.'),
            'guard_name.in' => __('Invalid guard selected.'),
        ]);

        try {
            // save permission record
            Permission::create([
                'name' => $request->name,
                'guard_name' => $request->guard_name,
                'created_by' => Auth::id(),
            ]);

            // success feedback
            if ($request->expectsJson()) {
                return response()->json([
                    'success' => true,
                    'message' => __('Permission has been successfully created.'),
                ]);
            }

            return redirect()->back()->with('success', __('Permission has been successfully created.'));

        } catch (\Exception $e) {
            if ($request->expectsJson()) {
                return response()->json([
                    'success' => false,
                    'message' => __('Failed to create permission: ').$e->getMessage(),
                ], 500);
            }

            return redirect()->back()->with('error', __('Failed to create permission: ').$e->getMessage());
        }
    }

    // update permission by id
    public function update(Request $request, $id)
    {

        // validate request input
        $request->validate([
            'name' => [
                'required',
                'string',
                'min:3',
                'max:100',
                'regex:/^[a-zA-Z0-9_\-\.\/]+$/',
                Rule::unique('permissions', 'name')
                    ->where(fn ($query) => $query->where('guard_name', $request->guard_name)
                    )
                    ->ignore($id),
            ],
            'guard_name' => [
                'required',
                'string',
                'in:web,api',
            ],
        ], [
            'name.required' => __('Permission name is required.'),
            'name.regex' => __('Permission name contains invalid characters.'),
            'name.unique' => __('A permission with this Name & Guard combination is already registered.'),
            'guard_name.required' => __('Guard is required.'),
            'guard_name.in' => __('Invalid guard selected.'),
        ]);

        try {
            // find permission record
            $permission = Permission::findOrFail($id);

            // update permission values
            $permission->update([
                'name' => $request->name,
                'guard_name' => $request->guard_name,
                'updated_by' => Auth::id(),
            ]);

            // success response
            if ($request->expectsJson()) {
                return response()->json([
                    'success' => true,
                    'message' => __('Permission has been successfully updated.'),
                ]);
            }

            return redirect()->back()->with('success', __('Permission has been successfully updated.'));

        } catch (QueryException $e) {
            if ($request->expectsJson()) {
                return response()->json([
                    'success' => false,
                    'message' => __('Failed to update permission: ').$e->getMessage(),
                ], 500);
            }

            return redirect()->back()->with('error', __('Failed to update permission: ').$e->getMessage());
        }
    }

    // toggle active or inactive status
    public function toggleStatus(Request $request)
    {
        // validate status request
        $request->validate([
            'id' => 'required|exists:permissions,id',
            'status' => 'required|in:activate,deactivate',
        ]);

        $permission = Permission::findOrFail($request->id);

        $permission->update([
            'is_active' => $request->status === 'activate' ? 1 : 0,
            'updated_by' => Auth::id(),
        ]);

        // respond to client (ajax)
        return response()->json([
            'success' => true,
            'message' => __('Permission status updated successfully.'),
        ]);
    }

    public function destroy($id)
    {
        $permission = Permission::findOrFail($id);
        $permission->delete(); // soft delete (not permanent)

        return response()->json([
            'success' => true,
            'message' => __('Permission has been archived.'),
        ]);
    }
}