import { AccessControlProvider } from "@refinedev/core";

/**
 * Protected resources that require admin access
 */
const ADMIN_ONLY_RESOURCES = ["ApplicationUser", "PermissionPolicyRole", "Settings"];

/**
 * Access control provider with role-based permissions
 * Currently supports Admin/non-Admin model with action-level control
 */
export const accessControlProvider: AccessControlProvider = {
    can: async ({ resource, action, params }) => {
        const isAdmin = (localStorage.getItem("user_is_admin") || sessionStorage.getItem("user_is_admin")) === "true";
        const roles = JSON.parse(localStorage.getItem("user_roles") || sessionStorage.getItem("user_roles") || "[]") as string[];

        // Admin-only resources check
        if (resource && ADMIN_ONLY_RESOURCES.includes(resource) && !isAdmin) {
            return {
                can: false,
                reason: "Only Administrators can access this resource",
            };
        }

        // Delete action requires admin privileges for all resources
        if (action === "delete" && !isAdmin) {
            return {
                can: false,
                reason: "Only Administrators can delete records",
            };
        }

        return { can: true };
    },
    options: {
        buttons: {
            enableAccessControl: true,
            hideIfUnauthorized: true,
        },
    },
};