defmodule Mv.Authorization.Checks.HasJoinRequestAccess do
  @moduledoc """
  Simple policy check: true when the actor's role has JoinRequest read/update permission.

  Used for bypass policies on JoinRequest read actions. Uses SimpleCheck (not a filter-based
  check) so Ash does NOT call auto_filter, which would silently return an empty list for
  unauthorized actors instead of Forbidden.

  Returns true for permission sets that grant JoinRequest read :all (normal_user, admin).
  Returns false for all others (own_data, read_only, nil actor).
  """
  use Ash.Policy.SimpleCheck

  alias Mv.Authorization.Actor
  alias Mv.Authorization.PermissionSets

  @impl true
  def describe(_opts), do: "actor has JoinRequest read/update access (normal_user or admin)"

  @impl true
  def match?(actor, _context, _opts) do
    with ps_name when not is_nil(ps_name) <- Actor.permission_set_name(actor),
         {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
         permissions <- PermissionSets.get_permissions(ps_atom) do
      Enum.any?(permissions.resources, fn p ->
        p.resource == "JoinRequest" and p.action == :read and p.granted
      end)
    else
      _ -> false
    end
  end
end