from django.shortcuts import redirect
from django.contrib import messages
from urllib.parse import quote

class AdminAccessMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        path = request.path
        if path.startswith('/admin/'):
            user = getattr(request, 'user', None)
            allowed = False
            is_login_path = path.startswith('/admin/login')
            if user and getattr(user, 'is_authenticated', False):
                if getattr(user, 'is_superuser', False) or getattr(user, 'role', None) == 'ADMIN':
                    allowed = True
                else:
                    allowed = False
            else:
                # unauthenticated users may access admin login page to sign in
                allowed = is_login_path
            if not allowed:
                if user and getattr(user, 'is_authenticated', False):
                    # Clear existing messages to prevent leakage
                    storage = messages.get_messages(request)
                    list(storage)  # Iterate to consume messages
                    
                    messages.error(request, 'Access to admin panel is restricted to administrators.')
                    return redirect('/staff/dashboard/')
                else:
                    next_url = quote(request.get_full_path(), safe='')
                    return redirect(f'/admin/login/?next={next_url}')
        response = self.get_response(request)
        return response