import { error } from '@sveltejs/kit';

/**
 * Server-side permission predicates derived from the authenticated user in `locals`.
 *
 * The user shape is intentionally narrowed to the only field these checks read
 * (`groups[].permissions`) so the helper works against `App.Locals` without importing it.
 */
type PermissionLocals = {
	user?: { groups?: { permissions: string[] }[] } | null;
};

/** True when any of the user's groups grants WRITE_ALL. False for anonymous users. */
export function hasWriteAll(locals: PermissionLocals): boolean {
	return locals.user?.groups?.some((group) => group.permissions.includes('WRITE_ALL')) ?? false;
}

/**
 * Throws a 403 unless the user holds WRITE_ALL. Anonymous users are rejected too
 * — `hasWriteAll` returns false for a null user, so a single check covers both
 * the unauthenticated and the under-privileged case. Server-side gate; the
 * frontend canWrite flag only hides entry-point buttons.
 *
 * Other WRITE_ALL-gated author loads (e.g. `documents/[id]/edit`) still inline
 * `if (!hasWriteAll(locals)) throw error(403)` — they can adopt this helper so
 * the guard doesn't quietly diverge across routes.
 */
export function requireWriteAll(locals: PermissionLocals): void {
	if (!hasWriteAll(locals)) throw error(403, 'Forbidden');
}