#!/usr/bin/env python3
"""
Script to verify admin@loaf.org account configuration after RBAC migration
"""
import sys
import os
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from dotenv import load_dotenv

# Add parent directory to path to import models
sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))

from models import User, Role, Permission, RolePermission
from database import DATABASE_URL

# Load environment variables
load_dotenv()

# Create database engine and session
engine = create_engine(DATABASE_URL)
Session = sessionmaker(bind=engine)
db = Session()

def verify_admin_account():
    print("=" * 80)
    print("VERIFYING admin@loaf.org ACCOUNT")
    print("=" * 80)

    # Find the user
    user = db.query(User).filter(User.email == "admin@loaf.org").first()

    if not user:
        print("\n❌ ERROR: User 'admin@loaf.org' not found in database!")
        return

    print(f"\n✅ User found: {user.first_name} {user.last_name}")
    print(f"   Email: {user.email}")
    print(f"   Status: {user.status}")
    print(f"   Email Verified: {user.email_verified}")

    # Check legacy role enum
    print(f"\n📋 Legacy Role (enum): {user.role.value if user.role else 'None'}")

    # Check new dynamic role
    if user.role_id:
        role = db.query(Role).filter(Role.id == user.role_id).first()
        if role:
            print(f"✅ Dynamic Role: {role.name} (code: {role.code})")
            print(f"   Role ID: {role.id}")
            print(f"   Is System Role: {role.is_system_role}")
        else:
            print(f"❌ ERROR: role_id set to {user.role_id} but role not found!")
    else:
        print("⚠️  WARNING: No dynamic role_id set")

    # Check permissions
    print("\n🔐 Checking Permissions:")

    # Get all permissions for this role
    if user.role_id:
        role_perms = db.query(RolePermission).filter(
            RolePermission.role_id == user.role_id
        ).all()

        print(f"   Total permissions assigned to role: {len(role_perms)}")

        if len(role_perms) > 0:
            print("\n   Sample permissions:")
            for rp in role_perms[:10]:  # Show first 10
                perm = db.query(Permission).filter(Permission.id == rp.permission_id).first()
                if perm:
                    print(f"   - {perm.code}: {perm.name}")
            if len(role_perms) > 10:
                print(f"   ... and {len(role_perms) - 10} more")
        else:
            print("   ⚠️  WARNING: No permissions assigned to this role!")
    else:
        # Check legacy role permissions
        from auth import UserRole
        role_enum = user.role
        legacy_perms = db.query(RolePermission).filter(
            RolePermission.role == role_enum
        ).all()
        print(f"   Legacy permissions (via enum): {len(legacy_perms)}")

    # Check if user should have access
    print("\n🎯 Access Check:")
    if user.role and user.role.value in ['admin', 'superadmin']:
        print("   ✅ User should have admin access (based on legacy enum)")
    else:
        print("   ❌ User does NOT have admin access (based on legacy enum)")

    if user.role_id:
        role = db.query(Role).filter(Role.id == user.role_id).first()
        if role and role.code in ['admin', 'superadmin']:
            print("   ✅ User should have admin access (based on dynamic role)")
        else:
            print("   ❌ User does NOT have admin access (based on dynamic role)")

    print("\n" + "=" * 80)
    print("VERIFICATION COMPLETE")
    print("=" * 80)

if __name__ == "__main__":
    try:
        verify_admin_account()
    except Exception as e:
        print(f"\n❌ ERROR: {e}")
        import traceback
        traceback.print_exc()
    finally:
        db.close()