<?php

namespace App\Http\Middleware;

use Closure;
use App\Models\AdminUser;
use App\Lottery\ErrorCode;
use App\Support\ApiResponse;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

/**
 * 后台 RBAC：在 {@see EnsureAdminApi} 之后校验 `prd.*` 等功能权限 slug（与 {@see AdminUser::hasAdminPermission} 一致）。
 * 路由参数支持 `slug` 或 `slug1|slug2`（满足其一即可）。
 */
final class EnsureAdminPermission
{
    public function handle(Request $request, Closure $next, string $permissionSlugs): Response
    {
        $admin = $request->lotteryAdmin();
        if (! $admin instanceof AdminUser) {
            return ApiResponse::error(
                trans('admin.unauthenticated', [], $request->lotteryLocale()),
                ErrorCode::AdminUnauthenticated->value,
                null,
                401,
            );
        }

        $slugs = array_values(array_filter(array_map('trim', explode('|', $permissionSlugs))));
        if ($slugs === []) {
            return $next($request);
        }

        foreach ($slugs as $slug) {
            if ($admin->hasAdminPermission($slug)) {
                return $next($request);
            }
        }

        return ApiResponse::error(
            trans('admin.permission_denied', [], $request->lotteryLocale()),
            ErrorCode::AdminForbidden->value,
            ['required_any' => $slugs],
            403,
        );
    }
}