from django.contrib import admin
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from .models import User, AuditLog, UserRole


@admin.register(User)
class UserAdmin(BaseUserAdmin):
    list_display = ("email", "full_name", "role", "is_active", "is_staff", "created_at")
    list_filter = ("role", "is_active", "is_staff")
    search_fields = ("email", "full_name")
    ordering = ("-created_at",)

    fieldsets = (
        (None, {"fields": ("email", "password")}),
        ("Personal Info", {"fields": ("full_name", "phone", "avatar_url", "bio")}),
        ("Permissions", {"fields": ("role", "is_active", "is_staff", "is_superuser", "groups", "user_permissions")}),
        ("Metadata", {"fields": ("last_login_ip",)}),
    )

    add_fieldsets = (
        (None, {
            "classes": ("wide",),
            "fields": ("email", "full_name", "password1", "password2", "role", "is_active", "is_staff"),
        }),
    )

    def get_queryset(self, request):
        qs = super().get_queryset(request)
        # Superadmin sees all; admin sees only admins (not other superadmins)
        if request.user.role == UserRole.SUPERADMIN:
            return qs
        return qs.filter(role=UserRole.ADMIN)

    def has_change_permission(self, request, obj=None):
        # Admins cannot edit superadmins
        if obj and obj.role == UserRole.SUPERADMIN and not request.user.is_superadmin:
            return False
        return super().has_change_permission(request, obj)

    def has_delete_permission(self, request, obj=None):
        if obj and obj.role == UserRole.SUPERADMIN and not request.user.is_superadmin:
            return False
        return super().has_delete_permission(request, obj)


@admin.register(AuditLog)
class AuditLogAdmin(admin.ModelAdmin):
    list_display = ("user", "action", "model_name", "object_id", "ip_address", "created_at")
    list_filter = ("action",)
    search_fields = ("user__email", "model_name", "description")
    readonly_fields = ("user", "action", "model_name", "object_id", "description", "ip_address", "created_at")

    def has_add_permission(self, request):
        return False  # Audit logs should never be manually created

    def has_delete_permission(self, request, obj=None):
        return request.user.is_superadmin  # Only superadmin can purge logs