defmodule Mv.Authorization.Checks.ActorIsAdmin do
  @moduledoc """
  Policy check: true when the actor's role has permission_set_name "admin".

  Used to restrict actions (e.g. User.update_user for member link/unlink) to admins only.
  """
  use Ash.Policy.SimpleCheck

  @impl true
  def describe(_opts), do: "actor has admin permission set"

  @impl true
  def match?(nil, _context, _opts), do: false

  def match?(actor, _context, _opts) do
    ps_name =
      get_in(actor, [Access.key(:role), Access.key(:permission_set_name)]) ||
        get_in(actor, [Access.key("role"), Access.key("permission_set_name")])

    ps_name == "admin"
  end
end