#!/usr/bin/env python3
"""
Portal CMS CRUD RBAC 权限注册脚本

直接操作 ocai_cms 数据库的 permission/rolepermission 表，
注册CMS管理后台的CRUD路径权限。

用法: cd ~/portal && py3/bin/python load_path.py
"""
import asyncio
import sys
import os

sys.path.insert(0, os.path.join(os.path.dirname(os.path.abspath(__file__)), 'pkgs'))

from appPublic.jsonConfig import getConfig
from sqlor.dbpools import DBPools
from appPublic.uniqueID import getID

# CMS管理页面路径 — superuser可访问
PATHS_SUPERUSER = [
    "/admin.ui",
    # CMS Content CRUD
    "/cms_content_list", "/cms_content_list/%",
    "/api/cms_content_create.dspy", "/api/cms_content_update.dspy", "/api/cms_content_delete.dspy",
    # CMS Sections CRUD
    "/cms_sections_list", "/cms_sections_list/%",
    "/api/cms_sections_create.dspy", "/api/cms_sections_update.dspy", "/api/cms_sections_delete.dspy",
    # CMS Categories CRUD
    "/cms_categories_list", "/cms_categories_list/%",
    "/api/cms_categories_create.dspy", "/api/cms_categories_update.dspy", "/api/cms_categories_delete.dspy",
    # CMS Leads CRUD
    "/cms_leads_list", "/cms_leads_list/%",
    "/api/cms_leads_create.dspy", "/api/cms_leads_update.dspy", "/api/cms_leads_delete.dspy",
    # CMS Site Config CRUD
    "/cms_site_config_list", "/cms_site_config_list/%",
    "/api/cms_site_config_create.dspy", "/api/cms_site_config_update.dspy", "/api/cms_site_config_delete.dspy",
]

SUPERUSER_ROLE_ID = 'r0ZHXa9vjGUHqkd4m_66w'


async def register_permissions():
    config = getConfig('.')
    db = DBPools(config.databases)

    async with db.sqlorContext('ocai_cms') as sor:
        cur = await sor.conn.cursor()

        # Get existing permissions
        await cur.execute("SELECT path FROM permission")
        existing = {r[0] for r in await cur.fetchall()}

        count = 0
        for path in PATHS_SUPERUSER:
            if path not in existing:
                perm_id = getID()
                await cur.execute(
                    "INSERT INTO permission (id, name, path) VALUES (%s, %s, %s)",
                    (perm_id, None, path)
                )
                existing.add(path)
                print(f"  + permission: {path}")

            # Get permission ID and link to superuser role
            await cur.execute("SELECT id FROM permission WHERE path = %s", (path,))
            row = await cur.fetchone()
            if row:
                perm_id = row[0]
                # Check if rolepermission already exists
                await cur.execute(
                    "SELECT id FROM rolepermission WHERE roleid = %s AND permid = %s",
                    (SUPERUSER_ROLE_ID, perm_id)
                )
                if not await cur.fetchone():
                    rp_id = getID()
                    await cur.execute(
                        "INSERT INTO rolepermission (id, roleid, permid) VALUES (%s, %s, %s)",
                        (rp_id, SUPERUSER_ROLE_ID, perm_id)
                    )
                    count += 1

        await sor.conn.commit()
        await cur.close()
        print(f"\nDone: {count} new rolepermission entries for owner.superuser")


if __name__ == "__main__":
    print("=== Portal CMS RBAC 权限注册 ===")
    asyncio.run(register_permissions())