package handler

import (
	"encoding/json"
	"net/http"

	"codeberg.org/VARASYS/ZDDC/zddc/internal/policy"
	"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
)

// writeForbidden emits a 403 JSON response naming the missing verb. Used
// at every ACL-deny site so the client-side toast can render a specific
// "you need <verb> here" message and offer elevation when the path-scoped
// /.profile/access?path= reports a would_elevate_grant covering that verb.
//
// Body shape:
//
//	{"error": "Forbidden", "missing_verb": "w"}
//
// Existing clients that read the body as text see the JSON string instead
// of "Forbidden\n" — both are diagnostic-only display strings, no client
// in this repo parses the previous plain-text body for content. Used in
// place of `http.Error(w, "Forbidden", http.StatusForbidden)` exclusively
// for ACL-deny cases. Other 403 conditions (no authenticated principal,
// existence-leak guards, etc.) keep the plain-text variant since
// "missing_verb" doesn't apply to them.
func writeForbidden(w http.ResponseWriter, action string) {
	verb := verbForAction(action)
	body, _ := json.Marshal(map[string]string{
		"error":        "Forbidden",
		"missing_verb": verb,
	})
	w.Header().Set("Content-Type", "application/json; charset=utf-8")
	w.WriteHeader(http.StatusForbidden)
	_, _ = w.Write(body)
}

// writeForbiddenWho is writeForbidden enriched with a "who_can" Authority for
// the missing verb, computed from the deny site's policy chain. Lets the toast
// tell the user who to ask even when the action wasn't pre-checked (a race, or
// a path the client didn't gate). The pre-check path (AccessView.PathWhoCan) is
// the primary surface; this is the safety net.
func writeForbiddenWho(w http.ResponseWriter, action string, chain zddc.PolicyChain) {
	verb := verbForAction(action)
	body := map[string]any{"error": "Forbidden", "missing_verb": verb}
	if vs, ok := zddc.ParseVerbSet(verb); ok {
		if a := zddc.WhoCan(chain, vs); !a.Empty() {
			body["who_can"] = a
		}
	}
	raw, _ := json.Marshal(body)
	w.Header().Set("Content-Type", "application/json; charset=utf-8")
	w.WriteHeader(http.StatusForbidden)
	_, _ = w.Write(raw)
}

// verbForAction maps a policy.Action constant to its single-character
// verb. Mirrors policy.actionVerb but emits the wire-format letter
// rather than the bitmask, so the JSON body carries "r"/"w"/"c"/"d"/"a"
// — the same alphabet the listing's `verbs` field uses.
func verbForAction(action string) string {
	switch action {
	case policy.ActionWrite:
		return "w"
	case policy.ActionCreate:
		return "c"
	case policy.ActionDelete:
		return "d"
	case policy.ActionAdmin:
		return "a"
	default:
		return "r"
	}
}