"""
Nom du script : gitlab_permission_service.py
Chemin : /gitlab-bridge/app/services/gitlab_permission_service.py
Description : Vérification des droits réels d'un utilisateur sur un projet GitLab.
Options éventuelles : Aucune.
Exemples d'utilisation : `assert_can_read_project(...)`, `assert_can_create_issue(...)`.
Prérequis : Python 3.11+.
Auteur : Sylvain SCATTOLINI
Date de création / modification : 2026-03-25
Version : 1.1
"""

from __future__ import annotations

from app.clients.gitlab_client import GitLabClient
from app.core.exceptions import AccessDeniedError, GitLabApiError


class GitLabPermissionService:
    """Contrôle les permissions GitLab minimales nécessaires."""

    ACCESS_LEVEL_GUEST = 10
    ACCESS_LEVEL_REPORTER = 20
    ACCESS_LEVEL_DEVELOPER = 30
    ACCESS_LEVEL_MAINTAINER = 40
    ACCESS_LEVEL_OWNER = 50

    def __init__(self, client: GitLabClient) -> None:
        self.client = client

    def assert_can_read_project(self, project_id: int, user_id: int) -> dict:
        member = self._get_member(project_id=project_id, user_id=user_id)
        if int(member.get('access_level', 0)) < self.ACCESS_LEVEL_GUEST:
            raise AccessDeniedError("L'utilisateur n'a pas d'accès valide à ce projet.")
        return member

    def assert_can_create_issue(self, project_id: int, user_id: int) -> dict:
        member = self._get_member(project_id=project_id, user_id=user_id)
        if int(member.get('access_level', 0)) < self.ACCESS_LEVEL_REPORTER:
            raise AccessDeniedError("L'utilisateur ne peut pas créer d'issue sur ce projet.")
        return member

    def _get_member(self, project_id: int, user_id: int) -> dict:
        try:
            return self.client.get_project_member(project_id=project_id, user_id=user_id)
        except GitLabApiError as exc:
            if 'HTTP 404' in str(exc):
                raise AccessDeniedError() from exc
            raise