package authz

import (
	"context"

	"haixun-backend/internal/library/authctx"
	app "haixun-backend/internal/library/errors"
	"haixun-backend/internal/library/errors/code"
	"haixun-backend/internal/svc"
)

func RequireAdmin(ctx context.Context, svcCtx *svc.ServiceContext) error {
	actor, ok := authctx.ActorFromContext(ctx)
	if !ok {
		return app.For(code.Auth).AuthUnauthorized("missing actor")
	}
	member, err := svcCtx.Member.GetByUID(ctx, actor.TenantID, actor.UID)
	if err != nil {
		return err
	}
	for _, role := range member.Roles {
		if role == "admin" {
			return nil
		}
	}
	return app.For(code.Auth).AuthForbidden("admin role required")
}