# The policy will resolve to all locations that a user has access. This includes locations that a user has roles for
# but also those locations for which a user has a client role.  Global roles grant access to ALL locations.
module G5Updatable
  class LocationPolicy < G5Authenticatable::BasePolicy
    class Scope < G5Authenticatable::BasePolicy::BaseScope

      def resolve
        locations_from_client_location_roles
      end

      private

      def location_roles
        G5Authenticatable::Role
          .joins('INNER JOIN g5_updatable_locations as l ON l.id = g5_authenticatable_roles.resource_id')
          .joins('INNER JOIN g5_authenticatable_users_roles as ur ON g5_authenticatable_roles.id = ur.role_id')
          .where('g5_authenticatable_roles.resource_type = ? and ur.user_id = ?',
                 G5Updatable::Location.name, user.id)
      end

      def locations_from_client_roles
        G5Updatable::Location
          .joins('INNER JOIN g5_updatable_clients as c on g5_updatable_locations.client_urn=c.urn')
          .joins('INNER JOIN g5_authenticatable_roles as r on r.resource_id=c.id')
          .joins('INNER JOIN g5_authenticatable_users_roles as ur on r.id=ur.role_id')
          .where('ur.user_id=?',user.id)
          .where('r.resource_type=?', G5Updatable::Client.name)
      end


      def locations_from_client_location_roles
        return scope.all if has_global_role?
        location_ids = locations_from_client_roles.map(&:id) | location_roles.map(&:resource_id)
        G5Updatable::Location.where(id: location_ids)
      end
    end
  end
end