"""
Tests for user API: password requirement, salary field visibility, role access.
"""
import json, pytest


class TestUserCreation:
    def test_create_user_without_password_rejected(self, gm_client):
        """Creating a user with no password must return 400."""
        r = gm_client.post('/api/users',
                           data=json.dumps({'name': 'No Pass User', 'email': '', 'role': 'cashier',
                                            'outlet_id': 1}),
                           content_type='application/json',
                           headers={'X-CSRFToken': 'test-csrf-token'})
        assert r.status_code == 400
        assert 'password' in json.loads(r.data).get('error', '').lower()

    def test_create_user_short_password_rejected(self, gm_client):
        r = gm_client.post('/api/users',
                           data=json.dumps({'name': 'Short Pass', 'email': '', 'role': 'cashier',
                                            'outlet_id': 1, 'password': 'abc'}),
                           content_type='application/json',
                           headers={'X-CSRFToken': 'test-csrf-token'})
        assert r.status_code == 400

    def test_create_user_with_password_succeeds(self, gm_client):
        r = gm_client.post('/api/users',
                           data=json.dumps({'name': 'Valid User', 'email': 'v@test.com',
                                            'role': 'cashier', 'outlet_id': 1,
                                            'password': 'SecurePass1'}),
                           content_type='application/json',
                           headers={'X-CSRFToken': 'test-csrf-token'})
        assert r.status_code == 200
        assert json.loads(r.data).get('ok') is True


class TestSalaryVisibility:
    def test_manager_sees_salary_fields(self, gm_client):
        r = gm_client.get('/api/users')
        users = json.loads(r.data)
        assert len(users) > 0
        # At least one user should have pay_amount / pay_period
        fields = {k for u in users for k in u.keys()}
        assert 'pay_amount' in fields or 'pay_period' in fields

    def test_cashier_cannot_see_salary_fields(self, cashier_client):
        r = cashier_client.get('/api/users')
        # Cashiers shouldn't even reach this endpoint (role_required)
        # If they somehow do, salary fields must be stripped
        if r.status_code == 200:
            users = json.loads(r.data)
            for u in users:
                assert 'pay_amount' not in u
                assert 'pay_period' not in u

    def test_cashier_cannot_access_user_management(self, cashier_client):
        r = cashier_client.post('/api/users',
                                data=json.dumps({'name': 'x', 'password': 'testpass1',
                                                 'role': 'cashier', 'outlet_id': 1}),
                                content_type='application/json',
                                headers={'X-CSRFToken': 'test-csrf-token'})
        assert r.status_code == 403