require 'ipaddr'

class ApplicationController < ActionController::Base
  protect_from_forgery

  before_action :current_user

  SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
  MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
  WHITELIST_IGNORE_CONF_KEY = 'right.whitelist_ignore'
  WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'

  #report and redirect for unauthorized activities
  def unauthorized_redirect(notice = 'You are not authorized to view the page you requested')
    flash[:notice] = notice
    redirect_to login_main_path
  end

  # Returns the current logged-in user (if any).
  def current_user
    return nil unless session[:user_id]
    @current_user ||= User.find(session[:user_id])
  end

  def admin_authorization
    return false unless check_valid_login
    user = User.includes(:roles).find(session[:user_id])
    unless user.admin?
      unauthorized_redirect
      return false
    end
    return true
  end

  def authorization_by_roles(allowed_roles)
    return false unless check_valid_login
    user = User.find(session[:user_id])
    unless user.roles.detect { |role| allowed_roles.member?(role.name) }
      unauthorized_redirect
      return false
    end
  end

  def testcase_authorization
    #admin always has privileged
    if @current_user.admin?
      return true
    end

    unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
  end


  protected

  #redirect to root (and also force logout)
  #if the user is not logged_in or the system is in "ADMIN ONLY" mode
  def check_valid_login
    #check if logged in
    unless session[:user_id]
      if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
        unauthorized_redirect('You need to login but you cannot log in at this time')
      else
        unauthorized_redirect('You need to login')
      end
      return false
    end

    # check if run in single user mode
    if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
      if @current_user==nil || (!@current_user.admin?)
        unauthorized_redirect('You cannot log in at this time')
        return false
      end
    end

    # check if the user is enabled
    unless @current_user.enabled? || @current_user.admin?
      unauthorized_redirect 'Your account is disabled'
      return false
    end

    # check if user ip is allowed
    unless @current_user.admin? || GraderConfiguration[WHITELIST_IGNORE_CONF_KEY]
      unless is_request_ip_allowed?
        unauthorized_redirect 'Your IP is not allowed to login at this time.'
        return false
      end
    end

    if GraderConfiguration.multicontests? 
      return true if @current_user.admin?
      begin
        if @current_user.contest_stat(true).forced_logout
          flash[:notice] = 'You have been automatically logged out.'
          redirect_to :controller => 'main', :action => 'index'
        end
      rescue
      end
    end
    return true
  end

  #redirect to root (and also force logout)
  #if the user use different ip from the previous connection
  #  only applicable when MULTIPLE_IP_LOGIN options is false only
  def authenticate_by_ip_address
    #this assume that we have already authenticate normally
    unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
      user = User.find(session[:user_id])
      if (!user.admin? && user.last_ip && user.last_ip != request.remote_ip)
        flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
        redirect_to :controller => 'main', :action => 'login'
        return false
      end
      unless user.last_ip
        user.last_ip = request.remote_ip
        user.save
      end
    end
    return true
  end

  def authorization
    return false unless check_valid_login
    user = User.find(session[:user_id])
    unless user.roles.detect { |role|
        role.rights.detect{ |right|
          right.controller == self.class.controller_name and
            (right.action == 'all' || right.action == action_name)
        }
      }
      flash[:notice] = 'You are not authorized to view the page you requested'
      #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
      redirect_to :controller => 'main', :action => 'login'
      return false
    end
  end

  def verify_time_limit
    return true if session[:user_id]==nil
    user = User.find(session[:user_id], :include => :site)
    return true if user==nil || user.site == nil
    if user.contest_finished?
      flash[:notice] = 'Error: the contest you are participating is over.'
      redirect_to :back
      return false
    end
    return true
  end

  def is_request_ip_allowed?
    unless GraderConfiguration[WHITELIST_IGNORE_CONF_KEY]
      user_ip = IPAddr.new(request.remote_ip)

      GraderConfiguration[WHITELIST_IP_CONF_KEY].delete(' ').split(',').each do |ips|
        puts "ip is #{ips}, user ip is #{user_ip}"
        allow_ips = IPAddr.new(ips)
        if allow_ips.include?(user_ip)
          return true
        end
      end
      return false
    end
    return true
  end

end