import {
  Controller,
  Get,
  Post,
  Put,
  Delete,
  Body,
  Param,
  Query,
  UseGuards,
  ParseUUIDPipe,
} from '@nestjs/common';
import { RolesService } from './roles.service';
import {
  CreateRoleDto,
  UpdateRoleDto,
  AssignPermissionsDto,
  RoleQueryDto,
} from './dto/role.dto';
import { PermissionsGuard } from '../auth/guards/permissions.guard';
import { RequirePermissions } from '@common/decorators/permissions.decorator';
import { Auditable, Sensitive } from '@core/observability/audit/decorators/auditable.decorator';

@Controller('roles')
export class RolesController {
  constructor(private readonly rolesService: RolesService) {}

  /**
   * Get role list
   * Scope: organization - 只能查看本组织角色
   */
  @Get()
  @RequirePermissions('role:read')
  async findAll(@Query() query: RoleQueryDto) {
    return this.rolesService.findAll(query);
  }

  /**
   * Get role by ID
   * Scope: organization - 只能查看本组织角色
   */
  @Get(':id')
  @RequirePermissions('role:read')
  async findOne(@Param('id', ParseUUIDPipe) id: string) {
    return this.rolesService.findOne(id);
  }

  /**
   * Create role
   * Scope: organization - 只能在本组织创建角色
   */
  @Post()
  @Auditable()
  @Sensitive()
  @RequirePermissions('role:create')
  async create(@Body() createRoleDto: CreateRoleDto) {
    return this.rolesService.create(createRoleDto);
  }

  /**
   * Update role
   * Scope: organization - 只能更新本组织角色
   */
  @Put(':id')
  @Auditable()
  @Sensitive()
  @RequirePermissions('role:update')
  async update(
    @Param('id', ParseUUIDPipe) id: string,
    @Body() updateRoleDto: UpdateRoleDto,
  ) {
    return this.rolesService.update(id, updateRoleDto);
  }

  /**
   * Delete role
   * Scope: organization - 只能删除本组织角色
   */
  @Delete(':id')
  @Auditable()
  @Sensitive()
  @RequirePermissions('role:delete')
  async remove(@Param('id', ParseUUIDPipe) id: string) {
    return this.rolesService.remove(id);
  }

  /**
   * Get role permissions
   * Scope: organization - 只能查看本组织角色权限
   */
  @Get(':id/permissions')
  @RequirePermissions('role:read')
  async getPermissions(@Param('id', ParseUUIDPipe) id: string) {
    return this.rolesService.getPermissions(id);
  }

  /**
   * Assign permissions to role (replace existing)
   * Scope: organization - 只能管理本组织角色权限
   */
  @Put(':id/permissions')
  @Auditable()
  @Sensitive()
  @RequirePermissions('role:manage')
  async assignPermissions(
    @Param('id', ParseUUIDPipe) id: string,
    @Body() assignPermissionsDto: AssignPermissionsDto,
  ) {
    return this.rolesService.assignPermissions(id, assignPermissionsDto.permissionIds);
  }

  /**
   * Get role users
   * Scope: organization - 只能查看本组织角色用户
   */
  @Get(':id/users')
  @RequirePermissions('role:read')
  async getUsers(@Param('id', ParseUUIDPipe) id: string) {
    return this.rolesService.getUsers(id);
  }

  // NOTE: 用户角色分配已移至 UsersController
  // 请使用以下API：
  // - POST /users/:id/roles - 为用户分配角色
  // - DELETE /users/:id/roles/:roleId - 移除用户角色
  // 参见: UsersService.assignRoles() 和 UsersService.removeRole()
}