use domain::entities::{Permission, PermissionAction, ResourceType, Role};
use domain::entities::permission::{admin_permissions, viewer_permissions};
use domain::services::permission_service::PermissionChecker;

#[test]
fn viewer_can_read() {
    let role = Role::new("viewer", viewer_permissions(), true);
    assert!(PermissionChecker::has_permission(
        &[role],
        PermissionAction::ReadAsset,
        ResourceType::Asset,
    ));
}

#[test]
fn viewer_cannot_delete() {
    let role = Role::new("viewer", viewer_permissions(), true);
    assert!(!PermissionChecker::has_permission(
        &[role],
        PermissionAction::DeleteAsset,
        ResourceType::Asset,
    ));
}

#[test]
fn roles_additive() {
    let r1 = Role::new("r1", [Permission::new(PermissionAction::ReadAsset, ResourceType::Global)].into(), false);
    let r2 = Role::new("r2", [Permission::new(PermissionAction::WriteMetadata, ResourceType::Global)].into(), false);
    let eff = PermissionChecker::effective_permissions(&[r1, r2]);
    assert_eq!(eff.len(), 2);
}

#[test]
fn global_covers_specific() {
    let role = Role::new("admin", admin_permissions(), true);
    // Global ReadAsset should cover Asset-scoped check
    assert!(PermissionChecker::has_permission(
        &[role],
        PermissionAction::ReadAsset,
        ResourceType::Album,
    ));
}