from fastapi import Depends, HTTPException, status
from sqlalchemy.orm import Session

from app.core.auth import get_current_user
from app.core.database import get_db
from app.models.permission_role import PermissionRole
from app.models.permission import Permission


def require_permission(subject: str, action: str):
    def dependency(
        user=Depends(get_current_user),
        db: Session = Depends(get_db),
    ):
        permission = db.query(Permission).filter(Permission.subject == subject).first()
        if not permission:
            raise HTTPException(status_code=403, detail="Permission not found")
        permission_role = (
            db.query(PermissionRole)
            .filter(
                PermissionRole.role_id == user.role_id,
                PermissionRole.permission_id == permission.id,
            )
            .first()
        )
        if not permission_role or action not in permission_role.actions:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail="Access denied",
            )
        return True

    return dependency