use domain::entities::permission::{admin_permissions, viewer_permissions};
use domain::entities::{Permission, PermissionAction, ResourceType, Role};
use domain::services::permission_service::PermissionChecker;

#[test]
fn viewer_can_read() {
    let role = Role::new("viewer", viewer_permissions(), true);
    assert!(PermissionChecker::has_permission(
        &[role],
        PermissionAction::ReadAsset,
        ResourceType::Asset,
    ));
}

#[test]
fn viewer_cannot_delete() {
    let role = Role::new("viewer", viewer_permissions(), true);
    assert!(!PermissionChecker::has_permission(
        &[role],
        PermissionAction::DeleteAsset,
        ResourceType::Asset,
    ));
}

#[test]
fn roles_additive() {
    let r1 = Role::new(
        "r1",
        [Permission::new(
            PermissionAction::ReadAsset,
            ResourceType::Global,
        )]
        .into(),
        false,
    );
    let r2 = Role::new(
        "r2",
        [Permission::new(
            PermissionAction::WriteMetadata,
            ResourceType::Global,
        )]
        .into(),
        false,
    );
    let eff = PermissionChecker::effective_permissions(&[r1, r2]);
    assert_eq!(eff.len(), 2);
}

#[test]
fn global_covers_specific() {
    let role = Role::new("admin", admin_permissions(), true);
    assert!(PermissionChecker::has_permission(
        &[role],
        PermissionAction::ReadAsset,
        ResourceType::Album,
    ));
}