# Copyright 2024 DOB
# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).

from odoo import SUPERUSER_ID
from odoo.exceptions import UserError
from odoo.tests import new_test_user
from odoo.tests.common import TransactionCase


class TestIrRuleProtected(TransactionCase):
    """Tests for ir_rule_protected: non-superuser cannot modify protected ir.rule.

    Validates: Requirement 6.2
    """

    @classmethod
    def setUpClass(cls):
        super().setUpClass()
        cls.env = cls.env(
            context=dict(cls.env.context, tracking_disable=True, no_reset_password=True)
        )
        # Create a regular admin user (not superuser)
        cls.regular_user = new_test_user(
            cls.env,
            name="Regular Admin",
            login="test_regular_admin_ir_rule",
            groups="base.group_user,base.group_system",
        )
        # Create a protected ir.rule
        cls.protected_rule = cls.env["ir.rule"].with_user(SUPERUSER_ID).create({
            "name": "Test Protected Rule",
            "model_id": cls.env.ref("base.model_res_partner").id,
            "protected": True,
        })

    def test_non_superuser_cannot_write_protected_rule(self):
        """WHEN a user without is_superuser tries to modify a protected ir.rule,
        ir_rule_protected SHALL deny the modification with UserError.

        Validates: Requirement 6.2
        """
        with self.assertRaises(UserError):
            self.protected_rule.with_user(self.regular_user).write(
                {"name": "Attempted Rename"}
            )

    def test_non_superuser_cannot_unlink_protected_rule(self):
        """WHEN a user without is_superuser tries to delete a protected ir.rule,
        ir_rule_protected SHALL deny the deletion with UserError.

        Validates: Requirement 6.2
        """
        with self.assertRaises(UserError):
            self.protected_rule.with_user(self.regular_user).unlink()

    def test_superuser_can_write_protected_rule(self):
        """WHEN the superuser modifies a protected ir.rule,
        ir_rule_protected SHALL allow the modification.

        Validates: Requirement 6.2 (positive case)
        """
        original_name = self.protected_rule.name
        self.protected_rule.with_user(SUPERUSER_ID).write({"name": "Superuser Rename"})
        self.assertEqual(self.protected_rule.name, "Superuser Rename")
        # Restore original name
        self.protected_rule.with_user(SUPERUSER_ID).write({"name": original_name})

    def test_non_superuser_can_write_unprotected_rule(self):
        """WHEN a user without is_superuser modifies an unprotected ir.rule,
        ir_rule_protected SHALL allow the modification.

        Validates: Requirement 6.2 (negative case — unprotected rule)
        """
        unprotected_rule = self.env["ir.rule"].with_user(SUPERUSER_ID).create({
            "name": "Unprotected Rule",
            "model_id": self.env.ref("base.model_res_partner").id,
            "protected": False,
        })
        # Should not raise
        unprotected_rule.with_user(self.regular_user).write({"name": "Renamed OK"})
        self.assertEqual(unprotected_rule.name, "Renamed OK")