defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
  @moduledoc """
  Policy check: true when the action is being run from OIDC role sync (context.private.oidc_role_sync).

  Used to allow the internal set_role_from_oidc_sync action when called by Mv.OidcRoleSync
  without an actor.
  """
  use Ash.Policy.SimpleCheck

  @impl true
  def describe(_opts), do: "called from OIDC role sync (context.private.oidc_role_sync)"

  @impl true
  def match?(_actor, authorizer, _opts) do
    # Context from opts (e.g. Ash.update!(..., context: %{private: %{oidc_role_sync: true}}))
    context = Map.get(authorizer, :context) || %{}
    from_context = get_in(context, [:private, :oidc_role_sync]) == true
    # When update runs inside create's after_action, context may not be passed; use process dict.
    from_process = Process.get(:oidc_role_sync) == true
    from_context or from_process
  end
end