import Update from "../../models/update.js";

export default defineEventHandler(async (event) => {
  const id = getRouterParam(event, "id");
  let memberId = null
  try {
    const member = await requireAuth(event)
    memberId = member._id.toString()
  } catch {
    // Not authenticated — continue with public-only access
  }

  try {
    const update = await Update.findById(id).populate("author", "name avatar");

    if (!update) {
      throw createError({
        statusCode: 404,
        statusMessage: "Update not found",
      });
    }

    // Check privacy permissions
    if (update.privacy === "private") {
      // Only author can view private updates
      if (!memberId || update.author._id.toString() !== memberId) {
        throw createError({
          statusCode: 403,
          statusMessage: "You don't have permission to view this update",
        });
      }
    } else if (update.privacy === "members") {
      // Must be authenticated to view members-only updates
      if (!memberId) {
        throw createError({
          statusCode: 403,
          statusMessage: "You must be a member to view this update",
        });
      }
    }

    return update;
  } catch (error) {
    if (error.statusCode) throw error;
    console.error("Get update error:", error);
    throw createError({
      statusCode: 500,
      statusMessage: "Failed to fetch update",
    });
  }
});