"""
security.py

Purpose:
  Provide authentication and authorization decorators for views. This keeps
  access control concerns centralized and testable.

Exports:
  - login_required(view): redirects to login if not authenticated
  - admin_required(view): ensures the current user has admin privileges
"""

from functools import wraps
from flask import session, redirect, url_for, flash
from .db import get_db


def login_required(view_func):
    @wraps(view_func)
    def wrapper(*args, **kwargs):
        if 'user_id' not in session:
            return redirect(url_for('views.login_root'))
        return view_func(*args, **kwargs)
    return wrapper


def admin_required(view_func):
    @wraps(view_func)
    def wrapper(*args, **kwargs):
        if 'user_id' not in session:
            return redirect(url_for('views.login_root'))
        try:
            db = get_db()
            row = db.execute('SELECT is_admin FROM users WHERE id = ?', (session['user_id'],)).fetchone()
            if not row or int(row['is_admin'] or 0) != 1:
                flash('Nema ovlasti.', 'error')
                return redirect(url_for('views.select_page'))
        except Exception:
            flash('Nema ovlasti.', 'error')
            return redirect(url_for('views.select_page'))
        return view_func(*args, **kwargs)
    return wrapper