package auth

import (
	"context"

	"github.com/tech/sendico/pkg/model"
	"go.mongodb.org/mongo-driver/bson/primitive"
)

type Enforcer interface {
	// Enforce checks if accountRef can do `action` on objectRef in an org (domainRef).
	Enforce(
		ctx context.Context,
		permissionRef, accountRef, orgRef, objectRef primitive.ObjectID,
		action model.Action,
	) (bool, error)

	// Enforce batch of objects
	EnforceBatch(
		ctx context.Context,
		objectRefs []model.PermissionBoundStorable,
		accountRef primitive.ObjectID,
		action model.Action,
	) (map[primitive.ObjectID]bool, error)

	// GetRoles returns the user's roles in a given org domain, plus any partial scopes if relevant.
	GetRoles(ctx context.Context, accountRef, orgRef primitive.ObjectID) ([]model.Role, error)

	// GetPermissions returns all effective permissions (with effect, object scoping) for a user in org domain.
	// Merges from all roles the user holds, plus any denies/exceptions.
	GetPermissions(ctx context.Context, accountRef, orgRef primitive.ObjectID) ([]model.Role, []model.Permission, error)
}