<?php

declare(strict_types=1);

namespace App\Module\Core\Infrastructure\Security;

use App\Module\Core\Domain\Entity\User;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Vote;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;

/**
 * @extends Voter<string, mixed>
 */
final class PermissionVoter extends Voter
{
    // Les codes de permission sont au format module.resource.action où chaque
    // segment peut contenir des tirets (ex. project-management, time-tracking).
    private const string PATTERN = '/^[a-z][a-z0-9_-]*(\.[a-z][a-z0-9_-]*)+$/';

    protected function supports(string $attribute, mixed $subject): bool
    {
        return 1 === preg_match(self::PATTERN, $attribute);
    }

    protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token, ?Vote $vote = null): bool
    {
        $user = $token->getUser();
        if (!$user instanceof User) {
            return false;
        }

        // ROLE_ADMIN = bypass total (cf. Décision 1).
        if (in_array('ROLE_ADMIN', $user->getRoles(), true)) {
            return true;
        }

        return in_array($attribute, $user->getEffectivePermissions(), true);
    }
}