package tests

import (
	"testing"
)

func TestOrgPermission(t *testing.T) {
	ensureUsers(t)

	// User1 will be the Org Creator (Owner)
	// User2 will be the Outsider -> Member

	var orgID string

	// 1. User1 Creates Org
	t.Run("User1 Creates Org", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/orgs", map[string]string{
			"code":        "test_org_1",
			"name":        "Test Org 1",
			"description": "Created by User1",
		}, User1Token)

		// If org code already exists (from previous run), we might get 400
		// But let's assume clean run or handle unique code
		if resp.Code == 400 {
			// Try to get the org if it exists, or just use a unique code
			// For simplicity in TestMain environment, we can use a fixed code
			// If it fails, we might need to query it.
			// Let's just assert 200 for now as we clean DB.
		}

		assertStatus(t, resp, 200)

		var data struct {
			ID string `json:"id"`
		}
		decodeResponse(t, resp, &data)
		orgID = data.ID
	})

	if orgID == "" {
		t.Fatal("Failed to create org, skipping remaining org tests")
	}

	// 2. User2 tries to update Org (Should Fail - Outsider)
	t.Run("User2 (Outsider) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Hacked By User2",
		}, User2Token)

		if resp.Code != 200 {
			// Good
		} else {
			var errResp BaseResp
			decodeResponse(t, resp, &errResp)
			if errResp.Code < 40000 {
				t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)
			}
		}
	})

	// 3. User1 adds User2 as Member
	t.Run("User1 adds User2 as Member", func(t *testing.T) {
		// Endpoint: POST /api/orgs/:id/users
		// Body: { user_id: "...", role_code: "member" }
		resp := doRequest(t, "POST", "/api/orgs/"+orgID+"/members", map[string]string{
			"user_id": User2ID,
			"role":    "member",
		}, User1Token)
		assertStatus(t, resp, 200)
	})

	// 4. User2 (Member) tries to update Org (Should Fail - Member cannot update org info)
	t.Run("User2 (Member) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Hacked By Member",
		}, User2Token)

		if resp.Code != 200 {
			// Good
		} else {
			var errResp BaseResp
			decodeResponse(t, resp, &errResp)
			if errResp.Code < 40000 {
				t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)
			}
		}
	})

	// 5. User1 (Owner) updates Org (Should Success)
	t.Run("User1 (Owner) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Updated By User1",
		}, User1Token)
		assertStatus(t, resp, 200)

		var data OrgResp
		decodeResponse(t, resp, &data)
		if data.Name != "Updated By User1" {
			t.Errorf("Expected name 'Updated By User1', got '%s'", data.Name)
		}
	})
}