from rest_framework.permissions import BasePermission, SAFE_METHODS


class IsOwner(BasePermission):
    """Object-level: allow access only to the object's owner."""

    def has_object_permission(self, request, view, obj):
        return obj.owner == request.user


class IsCreator(BasePermission):
    """Object-level: allow access only to the object's creator."""

    def has_object_permission(self, request, view, obj):
        return obj.creator == request.user


class IsOwnerOrReadOnly(BasePermission):
    def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True
        return obj.owner == request.user


class WebhookPermission(BasePermission):
    """
    Validates the X-Webhook-Secret header against settings.WEBHOOK_SECRET.
    Used on the RunPod callback endpoint.
    """

    def has_permission(self, request, view):
        from django.conf import settings

        secret = request.headers.get("X-Webhook-Secret", "")
        return bool(settings.WEBHOOK_SECRET) and secret == settings.WEBHOOK_SECRET