import type { Access } from "payload";

import { getUserTenantIDs } from "../../../utilities/getUserTenantIDs";
import { isSuperAdmin } from "@/access/isSuperAdmin";
import { isAccessingSelf } from "./isAccessingSelf";

export const updateAndDeleteAccess: Access = ({ req, id }) => {
  const { user } = req;

  if (!user) {
    return false;
  }

  if (isSuperAdmin(user) || isAccessingSelf({ user, id })) {
    return true;
  }

  /**
   * Constrains update and delete access to users that belong
   * to the same tenant as the admin making the request
   *
   * You may want to take this a step further with a beforeChange
   * hook to ensure that the admin can only remove users
   * from their own tenant in the tenants array.
   */
  return {
    "tenants.tenant": {
      in: getUserTenantIDs(user, "admin"),
    },
  };
};