from functools import wraps
from django.contrib.auth.decorators import login_required
from django.core.exceptions import PermissionDenied
from django.http import HttpResponseForbidden
from django.template import loader
from .permissions import has_permission, get_user_permissions


def department_required(*allowed_departments):
    """Decorator to restrict access to specific departments"""
    def decorator(view_func):
        @wraps(view_func)
        @login_required
        def _wrapped_view(request, *args, **kwargs):
            if request.user.is_superuser:
                return view_func(request, *args, **kwargs)
            
            if hasattr(request.user, 'employee_profile') and request.user.employee_profile:
                user_department = request.user.employee_profile.department
                if user_department and user_department.name in allowed_departments:
                    return view_func(request, *args, **kwargs)
            
            # Return 403 error with department information
            template = loader.get_template('403.html')
            context = {
                'error_message': f'This page is restricted to: {", ".join(allowed_departments)}',
                'user': request.user
            }
            return HttpResponseForbidden(template.render(context, request))
        return _wrapped_view
    return decorator


def permission_required_with_message(permission, message=None):
    """Enhanced permission required decorator with custom error messages"""
    def decorator(view_func):
        @wraps(view_func)
        @login_required
        def _wrapped_view(request, *args, **kwargs):
            if request.user.is_superuser:
                return view_func(request, *args, **kwargs)
                
            if has_permission(request.user, permission):
                return view_func(request, *args, **kwargs)
            
            error_msg = message or f"You need '{permission}' permission to access this page."
            template = loader.get_template('403.html')
            context = {
                'error_message': error_msg,
                'user': request.user
            }
            return HttpResponseForbidden(template.render(context, request))
        return _wrapped_view
    return decorator


def financial_access_required(view_func):
    """Decorator for financial access"""
    return permission_required_with_message(
        'view_billing', 
        'Access to financial data requires billing department permissions.'
    )(view_func)


def hr_access_required(view_func):
    """Decorator for HR access"""
    return permission_required_with_message(
        'view_employees',
        'Access to employee data requires HR or management permissions.'
    )(view_func)


def customer_management_required(view_func):
    """Decorator for customer management"""
    return permission_required_with_message(
        'view_customers',
        'Customer management requires appropriate department permissions.'
    )(view_func)


def admin_only(view_func):
    """Decorator for admin-only views"""
    @wraps(view_func)
    @login_required
    def _wrapped_view(request, *args, **kwargs):
        if not request.user.is_superuser:
            template = loader.get_template('403.html')
            context = {
                'error_message': 'This page is restricted to system administrators only.',
                'user': request.user
            }
            return HttpResponseForbidden(template.render(context, request))
        return view_func(request, *args, **kwargs)
    return _wrapped_view