Implement RBAC migration and role management enhancements

- Added AJAX functionality to fetch role permissions for copying.
- Introduced system role management with permission checks for updates.
- Implemented role deletion with confirmation modal and backend handling.
- Enhanced user role assignment migration scripts to transition from legacy profiles to RBAC.
- Created SQL migration scripts for user roles and permissions mapping.
- Updated user interface to support new role management features including copy permissions and system role indicators.

assets/database/migration_profiles_to_rbac.sql

@@ -0,0 +1,222 @@
+-- ===================================================
+-- PROFILE TO RBAC MIGRATION SCRIPT
+-- Date: 2025-01-22
+-- Description: Migrate from settingsprofiles.php to user_roles RBAC system
+-- Note: Uses existing access_elements table (already populated)
+-- ===================================================
+
+START TRANSACTION;
+
+-- ===================================================
+-- PHASE 1: CREATE ROLES (matching existing profiles)
+-- ===================================================
+
+INSERT INTO `user_roles` (`name`, `description`, `is_active`, `created`, `createdby`) VALUES
+('Standard', 'Basic user access - view equipment, history, service reports', 1, NOW(), 1),
+('Superuser', 'Extended access - manage equipment, products, users', 1, NOW(), 1),
+('Admin', 'Administrative access - full management capabilities', 1, NOW(), 1),
+('AdminPlus', 'System administrator - complete system access', 1, NOW(), 1),
+('Build', 'Build tool access only', 1, NOW(), 1),
+('Commerce', 'E-commerce and catalog management', 1, NOW(), 1),
+('Distribution', 'Distribution partner access', 1, NOW(), 1),
+('Firmware', 'Firmware/software update access only', 1, NOW(), 1),
+('Garage', 'Car testing and diagnostics', 1, NOW(), 1),
+('Interface', 'API/Interface access', 1, NOW(), 1),
+('Service', 'Service technician access', 1, NOW(), 1),
+('Other', 'Miscellaneous access level', 1, NOW(), 1)
+ON DUPLICATE KEY UPDATE `description` = VALUES(`description`);
+
+-- ===================================================
+-- PHASE 2: CREATE ROLE_ACCESS_PERMISSIONS MAPPINGS
+-- ===================================================
+
+-- Get role IDs
+SET @role_standard = (SELECT rowID FROM user_roles WHERE name = 'Standard' LIMIT 1);
+SET @role_superuser = (SELECT rowID FROM user_roles WHERE name = 'Superuser' LIMIT 1);
+SET @role_admin = (SELECT rowID FROM user_roles WHERE name = 'Admin' LIMIT 1);
+SET @role_adminplus = (SELECT rowID FROM user_roles WHERE name = 'AdminPlus' LIMIT 1);
+SET @role_build = (SELECT rowID FROM user_roles WHERE name = 'Build' LIMIT 1);
+SET @role_commerce = (SELECT rowID FROM user_roles WHERE name = 'Commerce' LIMIT 1);
+SET @role_distribution = (SELECT rowID FROM user_roles WHERE name = 'Distribution' LIMIT 1);
+SET @role_firmware = (SELECT rowID FROM user_roles WHERE name = 'Firmware' LIMIT 1);
+SET @role_garage = (SELECT rowID FROM user_roles WHERE name = 'Garage' LIMIT 1);
+SET @role_interface = (SELECT rowID FROM user_roles WHERE name = 'Interface' LIMIT 1);
+SET @role_service = (SELECT rowID FROM user_roles WHERE name = 'Service' LIMIT 1);
+SET @role_other = (SELECT rowID FROM user_roles WHERE name = 'Other' LIMIT 1);
+
+-- ===================================================
+-- STANDARD ROLE PERMISSIONS (Read-only)
+-- Profile: application,firmwaretool,histories,history,servicereport,servicereports,dashboard,profile,equipment,equipments,products_software
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_standard, rowID, 0, 1, 0, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'histories', 'history', 'servicereport', 'servicereports',
+    'dashboard', 'profile', 'equipment', 'equipments', 'products_software'
+)
+ON DUPLICATE KEY UPDATE can_read = 1;
+
+-- ===================================================
+-- SUPERUSER ROLE PERMISSIONS (Create, Read, Update)
+-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
+--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,
+--          equipment_manage_edit,equipments,equipments_mass_update,product,product_manage,products,
+--          products_software,products_versions,user,user_manage,users
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_superuser, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
+    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
+    'dashboard', 'profile', 'equipment', 'equipment_manage',
+    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
+    'products_software', 'products_versions', 'user', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- ADMIN ROLE PERMISSIONS (Full CRUD)
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_admin, rowID, 1, 1, 1, 1 FROM access_elements WHERE access_path IN (
+    'application', 'buildtool', 'cartest', 'cartest_manage', 'cartests',
+    'changelog', 'communication', 'communication_send', 'communications', 'firmwaretool',
+    'histories', 'history', 'history_manage', 'marketing', 'partner', 'partners',
+    'servicereport', 'servicereports', 'software_available', 'software_download',
+    'software_update', 'softwaretool', 'account', 'accounts', 'dashboard', 'profile',
+    'contract', 'contract_manage', 'contracts', 'equipment', 'equipment_data',
+    'equipment_healthindex', 'equipment_history', 'equipment_manage',
+    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
+    'products_software', 'products_software_assignment', 'products_software_assignments',
+    'products_software_licenses', 'products_versions', 'report_build',
+    'report_contracts_billing', 'report_healthindex', 'rma', 'rma_history',
+    'rma_manage', 'rmas', 'user', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;
+
+-- ===================================================
+-- ADMINPLUS ROLE PERMISSIONS (Full access to everything)
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_adminplus, rowID, 1, 1, 1, 1 FROM access_elements WHERE is_active = 1
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;
+
+-- ===================================================
+-- BUILD ROLE PERMISSIONS
+-- Profile: application,buildtool,firmwaretool,dashboard,profile,products_software
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_build, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'buildtool', 'firmwaretool', 'dashboard', 'profile', 'products_software'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- COMMERCE ROLE PERMISSIONS
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_commerce, rowID, 1, 1, 1, 1 FROM access_elements WHERE access_path IN (
+    'application', 'catalog', 'categories', 'category', 'checkout', 'discount', 'discounts',
+    'identity', 'invoice', 'media', 'media_manage', 'order', 'orders', 'partner', 'partners',
+    'placeorder', 'pricelists', 'pricelists_items', 'pricelists_manage', 'shipping',
+    'shipping_manage', 'shopping_cart', 'taxes', 'transactions', 'transactions_items',
+    'translation_manage', 'translations', 'translations_details', 'uploader',
+    'dashboard', 'profile', 'product', 'product_manage', 'products', 'products_attributes',
+    'products_attributes_items', 'products_attributes_manage', 'products_categories',
+    'products_configurations', 'products_media', 'products_software', 'products_versions',
+    'user', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;
+
+-- ===================================================
+-- DISTRIBUTION ROLE PERMISSIONS
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_distribution, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
+    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
+    'dashboard', 'profile', 'equipment', 'equipment_manage',
+    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
+    'products_software', 'products_versions', 'user', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- FIRMWARE ROLE PERMISSIONS
+-- Profile: application,software_available,software_download,software_update,softwaretool,
+--          transactions,transactions_items,products_software_versions
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_firmware, rowID, 0, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'software_available', 'software_download', 'software_update',
+    'softwaretool', 'transactions', 'transactions_items', 'products_software_versions'
+)
+ON DUPLICATE KEY UPDATE can_read = 1, can_update = 1;
+
+-- ===================================================
+-- GARAGE ROLE PERMISSIONS
+-- Profile: application,cartest,cartest_manage,cartests,dashboard,profile,products_versions
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_garage, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'cartest', 'cartest_manage', 'cartests', 'dashboard', 'profile', 'products_versions'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- INTERFACE ROLE PERMISSIONS
+-- Profile: application,firmwaretool,invoice,payment,transactions,transactions_items,
+--          contract,contracts,equipment_manage,equipments,products_software,products_versions,users
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_interface, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'invoice', 'payment', 'transactions', 'transactions_items',
+    'contract', 'contracts', 'equipment_manage', 'equipments', 'products_software',
+    'products_versions', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- SERVICE ROLE PERMISSIONS
+-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
+--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,equipments,
+--          products_software,user,user_manage,users
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_service, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
+    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
+    'dashboard', 'profile', 'equipment', 'equipment_manage', 'equipments', 'products_software',
+    'user', 'users'
+)
+ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;
+
+-- ===================================================
+-- OTHER ROLE PERMISSIONS
+-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
+--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,equipments,products_software
+-- ===================================================
+INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
+SELECT @role_other, rowID, 0, 1, 1, 0 FROM access_elements WHERE access_path IN (
+    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
+    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
+    'dashboard', 'profile', 'equipment', 'equipment_manage', 'equipments', 'products_software'
+)
+ON DUPLICATE KEY UPDATE can_read = 1, can_update = 1;
+
+-- ===================================================
+-- VERIFICATION QUERIES
+-- ===================================================
+
+-- Check roles created
+SELECT rowID, name, description, is_active FROM user_roles ORDER BY rowID;
+
+-- Check permissions per role
+SELECT ur.name as role_name, COUNT(rap.rowID) as permission_count
+FROM user_roles ur
+LEFT JOIN role_access_permissions rap ON ur.rowID = rap.role_id
+GROUP BY ur.rowID, ur.name
+ORDER BY ur.rowID;
+
+-- ===================================================
+-- Change ROLLBACK to COMMIT when ready to apply
+-- ===================================================
+COMMIT;