<?php


use Phalcon\Acl\Adapter\Memory as AclList;
use Phalcon\Acl\Component;
use Phalcon\Acl\Role;
use Phalcon\Acl\Enum;
use Phalcon\Events\Event;
use Phalcon\Mvc\Dispatcher;
use Phalcon\Di\Injectable;


class SecurityPlugin extends Injectable
{
    public $acl;
    
    public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher)
    {
        // 1. Check if the user is logged in (session-based)
        $auth = $this->session->get('auth');
        $roles = $auth ? $auth['roles'] : ['guest']; 
        if ($auth && empty($roles)) {
            return $this->myHelper->logout();
        } 
        
        
        
        
        // 2. Get active controller and action
        $controller = $dispatcher->getControllerName();
        $action     = $dispatcher->getActionName();
        
        
        
        
        // 3. Get the ACL list (usually cached in production)
        //$acl = $this->getAcl();
        
        $allowed = false;
        foreach ($roles as $role) {
            if($this->acl->isAllowed($role, $controller, $action)){
                $allowed = true;
                break;
            }
        }
        
        
        if (!$allowed) {
            // Forward to login or error page if denied
            $dispatcher->forward([
                'controller' => 'session',
                'action'     => 'index'
            ]);
            return false;
        }
        if($roles[0] != "guest"){
            $this->view->setLayout('user'); 
        }
        
    }
    
    public function __construct() 
    {
        $this->acl = new AclList();
        
        // 1. Define Default Action (Deny if not specified)
        $this->acl->setDefaultAction(Enum::DENY);
        
        // 1. Fetch roles from MySQL via Model
        $roles = Roles::find();
        
        // 2. Add roles to ACL
        foreach ($roles as $role) {
            // Adding role by name (string)
            $this->acl->addRole($role->name);
            
        }
        
        $resources = Permissions::find(); // Assuming you have a Resources model
        foreach ($resources as $resource) {
            // Actions could also be stored in a separate table
            $actions = explode(',', $resource->actions);
            $this->acl->addComponent(new Component($resource->resource), $actions);
            
        }
        
        
        // Add Permissions from DB
        $resources = RolePermissions::find();
        foreach ($resources as $resource) {
            
            
            $roleName = Roles::findFirst($resource->role_id)->name;
            $permission = Permissions::findFirst($resource->permission_id);
            $actions = explode(',', $permission->actions);
           $this->acl->allow($roleName, $permission->resource, $actions);
            
            
            //if ($permission->allowed) {
                //$this->acl->allow($roleName, $resourceName, $permission->action);
            //} else {
                //$this->acl->deny($roleName, $resourceName, $permission->action);
            //}
        }
         // Allow guests only public access
         $this->acl->allow('guest', 'login', ['index']);
         $this->acl->allow('guest', 'session', ['login']);
         $this->acl->allow('guest', 'logout', ['index']);
         
         
         //$this->acl->allow('manager', 'login', ['index']);
         //$this->acl->allow('manager', 'dashboard', ['index']);
         //$this->acl->allow('manager', 'posts', ['edit']);
         
        $this->acl->allow('admin', '*', ['*']);
    }
}






/*


use Phalcon\Acl\Adapter\Memory;
use Phalcon\Acl\Role;
use Phalcon\Acl\Resource;
use Phalcon\Acl;
use Phalcon\Events\Event;
use Phalcon\Mvc\Dispatcher;
use Phalcon\Mvc\User\Plugin;

// Create the ACL



class SecurityPlugin extends Plugin
{    
    public $acl; // Declaration only
    public function __construct() {        
        $this->acl = new Memory();
        
        // 1. Define Default Action (Deny if not specified)
        $this->acl->setDefaultAction(Acl::DENY);
        
        // 2. Register Roles
        $this->acl->addRole(new Role('guest'));
        $this->acl->addRole(new Role('manager'));
        $this->acl->addRole(new Role('admin'));
        
        // 3. Register Resources (Controller -> Actions)
        $this->acl->addResource(new Resource('index'), ['index']);
        $this->acl->addResource(new Resource('login'), ['index']);
        $this->acl->addResource(new Resource('session'), ['login']);
        $this->acl->addResource(new Resource('dashboard'), ['index']);
        
        $this->acl->addResource(new Resource('posts'), ['edit']);
        
        // 4. Set Permissions
        // Allow guests only public access
        $this->acl->allow('guest', 'login', ['index']);
        $this->acl->allow('guest', 'session', ['login']);
        
        $this->acl->allow('manager', 'login', ['index']);
        $this->acl->allow('manager', 'dashboard', ['index']);
        $this->acl->allow('manager', 'posts', ['edit']);
        $this->acl->allow('admin', '*', ['*']);
    }
    public function beforeExecuteRoute(Event $event, Dispatcher $dispatcher)
    {
        $auth = $this->session->get('auth');
        $role = $auth ? $auth['role'] : 'guest'; 
        
        $controller = $dispatcher->getControllerName();
        $action = $dispatcher->getActionName();
                
                
        if (!$this->acl->isAllowed($role, $controller, $action)) {
            $dispatcher->forward(['controller' => 'login', 'action' => 'index']);
            //$this->flashSession->error('You must be logged in to access this area.');
            //$this->response->redirect('/login');
            return false; // Stop dispatch
        }
    }
    
    
}*/