"""Admin routes – user management (admin only)."""
from flask import Blueprint, render_template, redirect, url_for, flash, request, abort
from flask_login import login_required, current_user
from werkzeug.security import generate_password_hash

from app import db
from app.models.user import User

admin_bp = Blueprint("admin", __name__)


def _require_admin():
    if not current_user.is_authenticated or not current_user.is_admin():
        abort(403)


@admin_bp.route("/users")
@login_required
def list_users():
    _require_admin()
    users = User.query.order_by(User.username).all()
    return render_template("admin/users.html", users=users)


@admin_bp.route("/users/add", methods=["GET", "POST"])
@login_required
def add_user():
    _require_admin()
    if request.method == "POST":
        username = request.form.get("username", "").strip()
        password = request.form.get("password", "")
        role = request.form.get("role", "user")

        if not username or not password:
            flash("Username and password are required.", "danger")
            return render_template("admin/user_form.html", user=None)

        if User.query.filter_by(username=username).first():
            flash("Username already exists.", "danger")
            return render_template("admin/user_form.html", user=None)

        user = User(
            username=username,
            password_hash=generate_password_hash(password),
            role=role,
            is_active=True,
        )
        db.session.add(user)
        db.session.commit()
        flash(f"User '{username}' created.", "success")
        return redirect(url_for("admin.list_users"))

    return render_template("admin/user_form.html", user=None)


@admin_bp.route("/users/<int:user_id>/edit", methods=["GET", "POST"])
@login_required
def edit_user(user_id: int):
    _require_admin()
    user = db.get_or_404(User, user_id)

    if request.method == "POST":
        user.username = request.form.get("username", user.username).strip()
        user.role = request.form.get("role", user.role)
        user.is_active = "is_active" in request.form
        new_password = request.form.get("password", "").strip()
        if new_password:
            user.password_hash = generate_password_hash(new_password)
        db.session.commit()
        flash("User updated.", "success")
        return redirect(url_for("admin.list_users"))

    return render_template("admin/user_form.html", user=user)


@admin_bp.route("/users/<int:user_id>/delete", methods=["POST"])
@login_required
def delete_user(user_id: int):
    _require_admin()
    if user_id == current_user.id:
        flash("You cannot delete your own account.", "danger")
        return redirect(url_for("admin.list_users"))
    user = db.get_or_404(User, user_id)
    db.session.delete(user)
    db.session.commit()
    flash(f"User '{user.username}' deleted.", "warning")
    return redirect(url_for("admin.list_users"))