from flask import request, jsonify

from app.api import api_bp
from app.api.auth import admin_required, token_required
from app.extensions import db
from app.models.user import User


@api_bp.route('/users', methods=['GET'])
@admin_required
def list_users():
    users = User.query.order_by(User.created_at.desc()).all()
    return jsonify([u.to_dict(include_email=True) for u in users]), 200


@api_bp.route('/users/<int:user_id>', methods=['GET'])
@admin_required
def get_user(user_id):
    user = db.session.get(User, user_id)
    if not user:
        return jsonify({'error': 'Benutzer nicht gefunden'}), 404
    return jsonify(user.to_dict(include_email=True)), 200


@api_bp.route('/users/<int:user_id>', methods=['PUT'])
@admin_required
def update_user(user_id):
    user = db.session.get(User, user_id)
    if not user:
        return jsonify({'error': 'Benutzer nicht gefunden'}), 404

    data = request.get_json()
    if not data:
        return jsonify({'error': 'Keine Daten gesendet'}), 400

    if 'email' in data:
        email = data['email'].strip() or None
        if email and email != user.email:
            if User.query.filter_by(email=email).first():
                return jsonify({'error': 'Email bereits vergeben'}), 409
            user.email = email

    if 'role' in data and data['role'] in ('admin', 'user'):
        # Prevent removing last admin
        if user.role == 'admin' and data['role'] == 'user':
            admin_count = User.query.filter_by(role='admin', is_active=True).count()
            if admin_count <= 1:
                return jsonify({'error': 'Letzter Admin kann nicht herabgestuft werden'}), 400
        user.role = data['role']

    if 'is_active' in data:
        if user.id == request.current_user.id and not data['is_active']:
            return jsonify({'error': 'Eigenes Konto kann nicht deaktiviert werden'}), 400
        user.is_active = data['is_active']

    if 'storage_quota_mb' in data:
        user.storage_quota_mb = max(0, int(data['storage_quota_mb']))

    if 'password' in data and data['password']:
        if len(data['password']) < 8:
            return jsonify({'error': 'Passwort muss mindestens 8 Zeichen lang sein'}), 400
        user.set_password(data['password'])

    db.session.commit()
    return jsonify(user.to_dict(include_email=True)), 200


@api_bp.route('/users/<int:user_id>', methods=['DELETE'])
@admin_required
def delete_user(user_id):
    user = db.session.get(User, user_id)
    if not user:
        return jsonify({'error': 'Benutzer nicht gefunden'}), 404

    if user.id == request.current_user.id:
        return jsonify({'error': 'Eigenes Konto kann nicht geloescht werden'}), 400

    if user.role == 'admin':
        admin_count = User.query.filter_by(role='admin', is_active=True).count()
        if admin_count <= 1:
            return jsonify({'error': 'Letzter Admin kann nicht geloescht werden'}), 400

    db.session.delete(user)
    db.session.commit()
    return jsonify({'message': 'Benutzer geloescht'}), 200


@api_bp.route('/auth/change-password', methods=['POST'])
@token_required
def change_password():
    data = request.get_json()
    if not data:
        return jsonify({'error': 'Keine Daten gesendet'}), 400

    current_password = data.get('current_password', '')
    new_password = data.get('new_password', '')

    if not current_password or not new_password:
        return jsonify({'error': 'Aktuelles und neues Passwort erforderlich'}), 400

    if len(new_password) < 8:
        return jsonify({'error': 'Neues Passwort muss mindestens 8 Zeichen lang sein'}), 400

    user = request.current_user
    if not user.check_password(current_password):
        return jsonify({'error': 'Aktuelles Passwort falsch'}), 401

    user.set_password(new_password)
    db.session.commit()

    return jsonify({'message': 'Passwort geaendert'}), 200