from fastapi import HTTPException, status
from sqlalchemy.orm import Session

from app.models.user import User
from app.models.order import Order


def verify_order_owner_or_admin(
    order_id: int,
    current_user: User,
    db: Session,
) -> Order:
    """
    Verify that the user owns the order or is an admin

    Args:
        order_id: The ID of the order to check
        current_user: The current user
        db: The database session

    Returns:
        The order if the user is authorized

    Raises:
        HTTPException: If the user is not authorized or the order doesn't exist
    """
    order = db.query(Order).filter(Order.id == order_id).first()
    if order is None:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND,
            detail="Order not found",
        )

    if order.user_id != current_user.id and not current_user.is_admin:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Not enough permissions to access this order",
        )

    return order