"""
users/admin.py
==============
Configuración del admin de Django para el módulo users.
Permite gestionar usuarios, perfiles y tokens desde /admin/.
"""

from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from users.models import CustomUser, PerfilDocente, PerfilAlumno, RegistrationToken


class PerfilDocenteInline(admin.StackedInline):
    model = PerfilDocente
    can_delete = False
    readonly_fields = ['aprobado_por', 'aprobado_en']
    fields = ['institucion', 'departamento', 'cargo', 'aprobado_por', 'aprobado_en', 'motivo_rechazo']


class PerfilAlumnoInline(admin.StackedInline):
    model = PerfilAlumno
    can_delete = False
    readonly_fields = ['invitado_por']


@admin.register(CustomUser)
class CustomUserAdmin(UserAdmin):
    """Admin de usuarios con perfiles inline."""

    # Columnas visibles en el listado
    list_display  = ['id', 'email_hash', 'role', 'is_active', 'is_approved', 'created_at']
    list_filter   = ['role', 'is_active', 'is_approved']
    search_fields = ['email_hash', 'nickname']
    ordering      = ['-created_at']

    # Nota: el email real requiere descifrado — no se muestra en búsquedas por seguridad
    readonly_fields = ['email_hash', 'created_at', 'updated_at', 'login_attempts', 'locked_until']

    fieldsets = (
        ('Identificación',  {'fields': ('email_hash', 'email_encrypted', 'password')}),
        ('Rol y estado',    {'fields': ('role', 'nickname', 'is_active', 'is_approved', 'is_staff', 'is_superuser')}),
        ('Seguridad',       {'fields': ('login_attempts', 'locked_until', 'session_token')}),
        ('Auditoría',       {'fields': ('created_at', 'updated_at')}),
    )

    add_fieldsets = (
        (None, {
            'classes': ('wide',),
            'fields': ('email_hash', 'password1', 'password2', 'role'),
        }),
    )

    def get_inlines(self, request, obj=None):
        if obj and obj.role == 'docente':
            return [PerfilDocenteInline]
        if obj and obj.role == 'alumno':
            return [PerfilAlumnoInline]
        return []


@admin.register(RegistrationToken)
class RegistrationTokenAdmin(admin.ModelAdmin):
    list_display  = ['id', 'docente', 'is_valid', 'expires_at', 'used_at', 'created_at']
    list_filter   = ['docente']
    readonly_fields = ['token_hash', 'used_at', 'used_by', 'created_at']
    ordering = ['-created_at']

    def is_valid(self, obj):
        return obj.is_valid
    is_valid.boolean = True
    is_valid.short_description = '¿Válido?'