from rest_framework import permissions

class IsTenantUser(permissions.BasePermission):
    """
    Allows access only to authenticated users who belong to a tenant.
    Also ensures object-level tenant isolation.
    """
    def has_permission(self, request, view):
        return bool(request.user and request.user.is_authenticated and request.user.tenant)

    def has_object_permission(self, request, view, obj):
        if hasattr(obj, 'tenant'):
            return obj.tenant == request.user.tenant
        return True

class IsAdmin(permissions.BasePermission):
    """
    Allows access only to super_admin and institution_admin roles.
    """
    def has_permission(self, request, view):
        return bool(
            request.user and 
            request.user.is_authenticated and 
            request.user.role in ['super_admin', 'institution_admin']
        )

class IsProjectOwner(permissions.BasePermission):
    """
    Allows object level access only to the user who created it.
    """
    def has_object_permission(self, request, view, obj):
        if hasattr(obj, 'created_by'):
            return obj.created_by == request.user
        return False

class IsTeacher(permissions.BasePermission):
    """
    Allows access only to teacher, institution_admin, or super_admin roles.
    """
    def has_permission(self, request, view):
        return bool(
            request.user and 
            request.user.is_authenticated and 
            request.user.role in ['teacher', 'institution_admin', 'super_admin']
        )

class IsStudentReadOnly(permissions.BasePermission):
    """
    Students get read-only access (GET, HEAD, OPTIONS).
    Other roles are allowed (and restricted by other classes).
    """
    def has_permission(self, request, view):
        if request.user and request.user.is_authenticated:
            if request.user.role == 'student':
                return request.method in permissions.SAFE_METHODS
            return True
        return False