<?php

declare(strict_types=1);

namespace App\Tests\Module\Catalog\Api;

/**
 * RBAC du stockage (M7, ERP-210 — admin-only). Jumeau du ProductRBACMatrixTest.
 *
 * La matrice est volontairement tres restrictive : seul l'Admin porte
 * `catalog.storages.view` / `.manage`. Les 4 personas metier MALIO (Bureau, Compta,
 * Commerciale, Usine) n'ont AUCUNE permission stockage -> 403 partout. Un porteur de
 * `view` lit (200) mais ne peut pas creer (403). Anonyme -> 401.
 *
 * @internal
 */
final class StorageRBACMatrixTest extends AbstractStorageApiTestCase
{
    /** Personas metier sans permission stockage (admin-only). */
    private const array PERSONAS = ['Bureau', 'Compta', 'Commerciale', 'Usine'];

    public function testAdminHasFullAccess(): void
    {
        $client = $this->createAdminClient();

        $client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
        self::assertResponseStatusCodeSame(200);

        $client->request('POST', '/api/storages', [
            'headers' => ['Content-Type' => self::LD],
            'json'    => $this->validStoragePayload(),
        ]);
        self::assertResponseStatusCodeSame(201);
    }

    public function testBusinessPersonasAreForbiddenEverywhere(): void
    {
        $storage = $this->seedStorageEntity();
        $id      = (int) $storage->getId();

        foreach (self::PERSONAS as $persona) {
            $client = $this->createPersonaClient($persona);

            $client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
            self::assertResponseStatusCodeSame(403, $persona.' ne doit pas lister les stockages.');

            $client->request('GET', '/api/storages/'.$id, ['headers' => ['Accept' => self::LD]]);
            self::assertResponseStatusCodeSame(403, $persona.' ne doit pas consulter un stockage.');

            $client->request('POST', '/api/storages', [
                'headers' => ['Content-Type' => self::LD],
                'json'    => $this->validStoragePayload(),
            ]);
            self::assertResponseStatusCodeSame(403, $persona.' ne doit pas creer de stockage.');

            $client->request('PATCH', '/api/storages/'.$id, [
                'headers' => ['Content-Type' => self::MERGE],
                'json'    => ['numero' => 'X'],
            ]);
            self::assertResponseStatusCodeSame(403, $persona.' ne doit pas modifier un stockage.');
        }
    }

    public function testViewPermissionReadsButCannotManage(): void
    {
        $storage = $this->seedStorageEntity();
        $client  = $this->authView();

        $client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
        self::assertResponseStatusCodeSame(200);

        $client->request('GET', '/api/storages/'.$storage->getId(), ['headers' => ['Accept' => self::LD]]);
        self::assertResponseStatusCodeSame(200);

        // view sans manage : creation refusee au niveau securite (403).
        $client->request('POST', '/api/storages', [
            'headers' => ['Content-Type' => self::LD],
            'json'    => $this->validStoragePayload(),
        ]);
        self::assertResponseStatusCodeSame(403);
    }

    public function testAnonymousIsUnauthorized(): void
    {
        $client = self::createClient();

        $client->request('GET', '/api/storages', ['headers' => ['Accept' => self::LD]]);
        self::assertResponseStatusCodeSame(401);
    }
}