/**
 * RBAC / permissions tests — dev system
 *
 * Validates that role-based access control is enforced correctly
 * against the running dev server with real seed data.
 *
 * Role hierarchy:
 *   ADMIN   — full access including all /admin/* routes
 *   MANAGER — can view allocations, cannot access /admin/users etc.
 *   VIEWER  — limited read-only; allocations are forbidden (TRPC FORBIDDEN)
 */
import { expect, test } from "@playwright/test";
import { DEV_USERS, signIn } from "./helpers.js";

test.describe("RBAC — admin routes", () => {
  test("admin can access /admin/users and sees user rows", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await page.goto("/admin/users");
    await page.waitForLoadState("networkidle");

    await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
    // Seed users have planarchy.dev or capakraken.dev email domains
    await expect(
      page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first(),
    ).toBeVisible({ timeout: 10000 });
  });

  test("admin can access /admin/system-roles without errors", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await page.goto("/admin/system-roles");
    await page.waitForLoadState("networkidle");

    // Page should render a heading, not a blank screen or error
    await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
  });

  test("admin can access /admin/blueprints without errors", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await page.goto("/admin/blueprints");
    await page.waitForLoadState("networkidle");

    await expect(page.locator("h1,h2,h3").first()).toBeVisible({ timeout: 10000 });
  });

  test("manager is redirected or sees an error on /admin/users", async ({ page }) => {
    await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
    await page.goto("/admin/users");
    await page.waitForLoadState("networkidle");

    // Expect either: redirect away from /admin/users, or a permission-denied message
    const isRedirected = !page.url().includes("/admin/users");
    const hasForbiddenText = await page
      .locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
      .isVisible()
      .catch(() => false);

    expect(isRedirected || hasForbiddenText).toBe(true);
  });

  test("viewer is redirected or sees an error on /admin/users", async ({ page }) => {
    await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
    await page.goto("/admin/users");
    await page.waitForLoadState("networkidle");

    const isRedirected = !page.url().includes("/admin/users");
    const hasForbiddenText = await page
      .locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
      .isVisible()
      .catch(() => false);

    expect(isRedirected || hasForbiddenText).toBe(true);
  });
});

test.describe("RBAC — allocations access", () => {
  test("admin can view /allocations without permission errors", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await page.goto("/allocations");
    await page.waitForLoadState("networkidle");

    // Should NOT show the FORBIDDEN/permission-denied overlay
    await expect(
      page.locator("text=/do not have permission to view allocations/i"),
    ).toHaveCount(0, { timeout: 8000 });
  });

  test("manager can view /allocations without permission errors", async ({ page }) => {
    await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
    await page.goto("/allocations");
    await page.waitForLoadState("networkidle");

    await expect(
      page.locator("text=/do not have permission to view allocations/i"),
    ).toHaveCount(0, { timeout: 8000 });
  });

  test("viewer sees a permission error on /allocations", async ({ page }) => {
    await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
    await page.goto("/allocations");
    await page.waitForLoadState("networkidle");

    // AllocationsClient renders a permission-denied message when tRPC returns FORBIDDEN
    await expect(
      page.locator("text=/permission|forbidden|not have permission/i"),
    ).toBeVisible({ timeout: 10000 });
  });
});

test.describe("RBAC — dashboard loads for all roles", () => {
  for (const [role, creds] of Object.entries(DEV_USERS)) {
    test(`${role} dashboard loads without errors`, async ({ page }) => {
      await signIn(page, creds.email, creds.password);
      await page.goto("/dashboard");
      await page.waitForLoadState("networkidle");

      // Should be on dashboard, not bounced to sign-in
      await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
      // No unhandled error overlay
      await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
    });
  }
});