// FILE: src/routes/correspondences.js
// 03.2 7) เพิ่ม routes/correspondences.js (ใหม่)
// - ใช้ร่วมกับ requirePerm() และ buildScopeWhere()
// - สำหรับจัดการ correspondences (ดู/เพิ่ม/แก้ไข/ลบ) ตามสิทธิ์ของผู้ใช้
// Correspondences routes
// - CRUD operations for correspondences
// - Requires appropriate permissions via requirePerm middleware
// - Uses org scope for all permissions
// - correspondence:read, correspondence:create, correspondence:update, correspondence:delete
// - Correspondence fields: id (PK), org_id, project_id, corr_no, subject, status, created_by
// - Basic validation: org_id, corr_no, subject required for create

import { Router } from "express";
import sql from "../db/index.js";
import { requirePerm } from "../middleware/requirePerm.js";
import { buildScopeWhere, ownerResolvers } from "../utils/scope.js";
import PERM from "../config/permissions.js";

const r = Router();
const OWN = ownerResolvers(sql, "correspondences", "id");

r.get(
  "/",
  requirePerm(PERM.correspondence.read, { scope: "global" }),
  async (req, res) => {
    const { project_id, org_id, q, limit = 50, offset = 0 } = req.query;
    const base = buildScopeWhere(req.principal, {
      tableAlias: "c",
      orgColumn: "c.org_id",
      projectColumn: "c.project_id",
      permCode: PERM.correspondence.read,
      preferProject: true,
    });
    const extra = [];
    const params = {
      ...base.params,
      limit: Number(limit),
      offset: Number(offset),
    };
    if (project_id) {
      extra.push("c.project_id = :project_id");
      params.project_id = Number(project_id);
    }
    if (org_id) {
      extra.push("c.org_id = :org_id");
      params.org_id = Number(org_id);
    }
    if (q) {
      extra.push("(c.corr_no LIKE :q OR c.subject LIKE :q)");
      params.q = `%${q}%`;
    }
    const where = [base.where, ...extra].join(" AND ");
    const [rows] = await sql.query(
      `SELECT c.* FROM correspondences c WHERE ${where} ORDER BY c.id DESC LIMIT :limit OFFSET :offset`,
      params
    );
    res.json(rows);
  }
);

r.get(
  "/:id",
  requirePerm(PERM.correspondence.read, {
    scope: "org",
    getOrgId: OWN.getOrgIdById,
  }),
  async (req, res) => {
    const id = Number(req.params.id);
    const [[row]] = await sql.query(
      "SELECT * FROM correspondences WHERE id=?",
      [id]
    );
    if (!row) return res.status(404).json({ error: "Not found" });
    res.json(row);
  }
);

r.post(
  "/",
  requirePerm(PERM.correspondence.create, {
    scope: "org",
    getOrgId: async (req) => req.body?.org_id ?? null,
  }),
  async (req, res) => {
    const { org_id, project_id, corr_no, subject, status } = req.body;
    const [rs] = await sql.query(
      `INSERT INTO correspondences (org_id, project_id, corr_no, subject, status, created_by) VALUES (?,?,?,?,?,?)`,
      [org_id, project_id, corr_no, subject, status, req.principal.userId]
    );
    res.json({ id: rs.insertId });
  }
);

r.put(
  "/:id",
  requirePerm(PERM.correspondence.update, {
    scope: "org",
    getOrgId: OWN.getOrgIdById,
  }),
  async (req, res) => {
    const id = Number(req.params.id);
    const { subject, status } = req.body;
    await sql.query(
      "UPDATE correspondences SET subject=?, status=? WHERE id=?",
      [subject, status, id]
    );
    res.json({ ok: 1 });
  }
);

r.delete(
  "/:id",
  requirePerm(PERM.correspondence.delete, {
    scope: "org",
    getOrgId: OWN.getOrgIdById,
  }),
  async (req, res) => {
    const id = Number(req.params.id);
    await sql.query("DELETE FROM correspondences WHERE id=?", [id]);
    res.json({ ok: 1 });
  }
);

export default r;