"""
Plattform-Admin: Übersicht aller Nutzer inkl. Vereinsmitgliedschaften (ohne Passwort-Hashes).
"""
from typing import Any, Dict, List

from fastapi import APIRouter, Depends, HTTPException

from auth import require_auth
from club_tenancy import is_platform_admin, memberships_with_roles
from db import get_db, get_cursor, r2d

router = APIRouter(prefix="/api/admin", tags=["admin_users"])

_SAFE_PROFILE_COLS = """
    id, name, email, role, tier, email_verified, active_club_id,
    created_at, updated_at, auth_type
"""


@router.get("/users")
def list_platform_users(session: dict = Depends(require_auth)):
    """Alle Profile mit Vereinen/Rollen — nur Portal-Admin (admin oder superadmin)."""
    role = (session.get("role") or "").lower()
    if not is_platform_admin(role):
        raise HTTPException(status_code=403, detail="Nur Portal-Administratoren")

    with get_db() as conn:
        cur = get_cursor(conn)
        cur.execute(
            f"""
            SELECT {_SAFE_PROFILE_COLS.strip()}
            FROM profiles
            ORDER BY COALESCE(lower(trim(email)), ''), id
            """
        )
        rows: List[Dict[str, Any]] = []
        for r in cur.fetchall():
            d = r2d(r)
            d["clubs"] = memberships_with_roles(cur, int(d["id"]), active_only=False)
            rows.append(d)
        return rows