from rest_framework.permissions import BasePermission, SAFE_METHODS


class IsAdminOrSuperAdmin(BasePermission):
    """Any authenticated user with role admin or superadmin."""
    def has_permission(self, request, view):
        return bool(
            request.user and
            request.user.is_authenticated and
            request.user.role in ("admin", "superadmin")
        )


class IsSuperAdmin(BasePermission):
    """Only superadmin."""
    def has_permission(self, request, view):
        return bool(
            request.user and
            request.user.is_authenticated and
            request.user.role == "superadmin"
        )


class IsAdminOrSuperAdminOrReadOnly(BasePermission):
    """Read-only for public; write requires admin/superadmin."""
    def has_permission(self, request, view):
        if request.method in SAFE_METHODS:
            return True
        return bool(
            request.user and
            request.user.is_authenticated and
            request.user.role in ("admin", "superadmin")
        )
