"""
企业版知识库访问控制：RBAC + ABAC（可见性）
与 quanxianfangan.md 中规则一致。
"""
from typing import Literal

from models.graph_metadata import GraphRecord
from models.knowledge_base import KnowledgeBase
from models.user import User

UserRole = Literal["admin", "leader", "employee"]
KbVisibility = Literal["private", "department", "enterprise"]


def can_view_kb(user: User, kb: KnowledgeBase) -> bool:
    """判断用户是否可查看该知识库。"""
    if user.role == "admin":
        return True
    if kb.creator_id is not None and user.id == kb.creator_id:
        return True
    if user.role == "leader" and user.department_id is not None and kb.department_id == user.department_id:
        return True
    vis = kb.visibility or "private"
    if vis == "private":
        return False
    if vis == "department":
        return user.department_id is not None and kb.department_id == user.department_id
    if vis == "enterprise":
        return user.enterprise_id is not None and kb.enterprise_id == user.enterprise_id
    return False


def can_manage_kb(user: User, kb: KnowledgeBase) -> bool:
    """创建者可管理；企业管理员可管理本企业内任意知识库。"""
    if user.role == "admin" and user.enterprise_id is not None and kb.enterprise_id == user.enterprise_id:
        return True
    if kb.creator_id is not None and user.id == kb.creator_id:
        return True
    return False


def can_view_graph(user: User, g: GraphRecord) -> bool:
    """判断用户是否可查看该知识图谱（规则与知识库一致）。"""
    if user.role == "admin":
        return True
    if g.creator_id is not None and user.id == g.creator_id:
        return True
    if user.role == "leader" and user.department_id is not None and g.department_id == user.department_id:
        return True
    vis = g.visibility or "private"
    if vis == "private":
        return False
    if vis == "department":
        return user.department_id is not None and g.department_id == user.department_id
    if vis == "enterprise":
        return user.enterprise_id is not None and g.enterprise_id == user.enterprise_id
    return False


def can_manage_graph(user: User, g: GraphRecord) -> bool:
    """创建者可删改；企业管理员可管理本企业内任意图谱。"""
    if user.role == "admin" and user.enterprise_id is not None and g.enterprise_id == user.enterprise_id:
        return True
    if g.creator_id is not None and user.id == g.creator_id:
        return True
    return False