<?php

declare(strict_types=1);

namespace App\State;

use ApiPlatform\Metadata\Operation;
use ApiPlatform\State\ProcessorInterface;
use App\Entity\User;
use App\Entity\WorkHour;
use App\Security\EmployeeScopeService;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

final readonly class WorkHourSiteValidationProcessor implements ProcessorInterface
{
    public function __construct(
        private Security $security,
        private EmployeeScopeService $employeeScopeService,
        private EntityManagerInterface $entityManager,
    ) {}

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): WorkHour
    {
        if (!$data instanceof WorkHour) {
            throw new AccessDeniedHttpException('Invalid payload.');
        }

        $user = $this->security->getUser();
        if (!$user instanceof User) {
            throw new AccessDeniedHttpException('Authentication required.');
        }

        // Réservé aux profils "Sites" (ni admin, ni self).
        if (in_array('ROLE_ADMIN', $user->getRoles(), true) || in_array('ROLE_SELF', $user->getRoles(), true)) {
            throw new AccessDeniedHttpException('Only site managers can update site validation.');
        }

        $siteId = $data->getEmployee()?->getSite()?->getId();
        if (!$siteId) {
            throw new AccessDeniedHttpException('Employee site is required.');
        }

        $allowedSiteIds = $this->employeeScopeService->getAllowedSiteIds($user);
        if (!in_array($siteId, $allowedSiteIds, true)) {
            throw new AccessDeniedHttpException('Employee is outside your site scope.');
        }

        $this->entityManager->flush();

        return $data;
    }
}