-- ===================================================
-- PROFILE TO RBAC MIGRATION SCRIPT
-- Date: 2025-01-22
-- Description: Migrate from settingsprofiles.php to user_roles RBAC system
-- Note: Uses existing access_elements table (already populated)
-- ===================================================

START TRANSACTION;

-- ===================================================
-- PHASE 1: CREATE ROLES (matching existing profiles)
-- ===================================================

INSERT INTO `user_roles` (`name`, `description`, `is_active`, `created`, `createdby`) VALUES
('Standard', 'Basic user access - view equipment, history, service reports', 1, NOW(), 1),
('Superuser', 'Extended access - manage equipment, products, users', 1, NOW(), 1),
('Admin', 'Administrative access - full management capabilities', 1, NOW(), 1),
('AdminPlus', 'System administrator - complete system access', 1, NOW(), 1),
('Build', 'Build tool access only', 1, NOW(), 1),
('Commerce', 'E-commerce and catalog management', 1, NOW(), 1),
('Distribution', 'Distribution partner access', 1, NOW(), 1),
('Firmware', 'Firmware/software update access only', 1, NOW(), 1),
('Garage', 'Car testing and diagnostics', 1, NOW(), 1),
('Interface', 'API/Interface access', 1, NOW(), 1),
('Service', 'Service technician access', 1, NOW(), 1),
('Other', 'Miscellaneous access level', 1, NOW(), 1)
ON DUPLICATE KEY UPDATE `description` = VALUES(`description`);

-- ===================================================
-- PHASE 2: CREATE ROLE_ACCESS_PERMISSIONS MAPPINGS
-- ===================================================

-- Get role IDs
SET @role_standard = (SELECT rowID FROM user_roles WHERE name = 'Standard' LIMIT 1);
SET @role_superuser = (SELECT rowID FROM user_roles WHERE name = 'Superuser' LIMIT 1);
SET @role_admin = (SELECT rowID FROM user_roles WHERE name = 'Admin' LIMIT 1);
SET @role_adminplus = (SELECT rowID FROM user_roles WHERE name = 'AdminPlus' LIMIT 1);
SET @role_build = (SELECT rowID FROM user_roles WHERE name = 'Build' LIMIT 1);
SET @role_commerce = (SELECT rowID FROM user_roles WHERE name = 'Commerce' LIMIT 1);
SET @role_distribution = (SELECT rowID FROM user_roles WHERE name = 'Distribution' LIMIT 1);
SET @role_firmware = (SELECT rowID FROM user_roles WHERE name = 'Firmware' LIMIT 1);
SET @role_garage = (SELECT rowID FROM user_roles WHERE name = 'Garage' LIMIT 1);
SET @role_interface = (SELECT rowID FROM user_roles WHERE name = 'Interface' LIMIT 1);
SET @role_service = (SELECT rowID FROM user_roles WHERE name = 'Service' LIMIT 1);
SET @role_other = (SELECT rowID FROM user_roles WHERE name = 'Other' LIMIT 1);

-- ===================================================
-- STANDARD ROLE PERMISSIONS (Read-only)
-- Profile: application,firmwaretool,histories,history,servicereport,servicereports,dashboard,profile,equipment,equipments,products_software
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_standard, rowID, 0, 1, 0, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'histories', 'history', 'servicereport', 'servicereports',
    'dashboard', 'profile', 'equipment', 'equipments', 'products_software'
)
ON DUPLICATE KEY UPDATE can_read = 1;

-- ===================================================
-- SUPERUSER ROLE PERMISSIONS (Create, Read, Update)
-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,
--          equipment_manage_edit,equipments,equipments_mass_update,product,product_manage,products,
--          products_software,products_versions,user,user_manage,users
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_superuser, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
    'dashboard', 'profile', 'equipment', 'equipment_manage',
    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
    'products_software', 'products_versions', 'user', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- ADMIN ROLE PERMISSIONS (Full CRUD)
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_admin, rowID, 1, 1, 1, 1 FROM access_elements WHERE access_path IN (
    'application', 'buildtool', 'cartest', 'cartest_manage', 'cartests',
    'changelog', 'communication', 'communication_send', 'communications', 'firmwaretool',
    'histories', 'history', 'history_manage', 'marketing', 'partner', 'partners',
    'servicereport', 'servicereports', 'software_available', 'software_download',
    'software_update', 'softwaretool', 'account', 'accounts', 'dashboard', 'profile',
    'contract', 'contract_manage', 'contracts', 'equipment', 'equipment_data',
    'equipment_healthindex', 'equipment_history', 'equipment_manage',
    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
    'products_software', 'products_software_assignment', 'products_software_assignments',
    'products_software_licenses', 'products_versions', 'report_build',
    'report_contracts_billing', 'report_healthindex', 'rma', 'rma_history',
    'rma_manage', 'rmas', 'user', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;

-- ===================================================
-- ADMINPLUS ROLE PERMISSIONS (Full access to everything)
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_adminplus, rowID, 1, 1, 1, 1 FROM access_elements WHERE is_active = 1
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;

-- ===================================================
-- BUILD ROLE PERMISSIONS
-- Profile: application,buildtool,firmwaretool,dashboard,profile,products_software
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_build, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'buildtool', 'firmwaretool', 'dashboard', 'profile', 'products_software'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- COMMERCE ROLE PERMISSIONS
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_commerce, rowID, 1, 1, 1, 1 FROM access_elements WHERE access_path IN (
    'application', 'catalog', 'categories', 'category', 'checkout', 'discount', 'discounts',
    'identity', 'invoice', 'media', 'media_manage', 'order', 'orders', 'partner', 'partners',
    'placeorder', 'pricelists', 'pricelists_items', 'pricelists_manage', 'shipping',
    'shipping_manage', 'shopping_cart', 'taxes', 'transactions', 'transactions_items',
    'translation_manage', 'translations', 'translations_details', 'uploader',
    'dashboard', 'profile', 'product', 'product_manage', 'products', 'products_attributes',
    'products_attributes_items', 'products_attributes_manage', 'products_categories',
    'products_configurations', 'products_media', 'products_software', 'products_versions',
    'user', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1, can_delete = 1;

-- ===================================================
-- DISTRIBUTION ROLE PERMISSIONS
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_distribution, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
    'dashboard', 'profile', 'equipment', 'equipment_manage',
    'equipments', 'equipments_mass_update', 'product', 'product_manage', 'products',
    'products_software', 'products_versions', 'user', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- FIRMWARE ROLE PERMISSIONS
-- Profile: application,software_available,software_download,software_update,softwaretool,
--          transactions,transactions_items,products_software_versions
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_firmware, rowID, 0, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'software_available', 'software_download', 'software_update',
    'softwaretool', 'transactions', 'transactions_items', 'products_software_versions'
)
ON DUPLICATE KEY UPDATE can_read = 1, can_update = 1;

-- ===================================================
-- GARAGE ROLE PERMISSIONS
-- Profile: application,cartest,cartest_manage,cartests,dashboard,profile,products_versions
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_garage, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'cartest', 'cartest_manage', 'cartests', 'dashboard', 'profile', 'products_versions'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- INTERFACE ROLE PERMISSIONS
-- Profile: application,firmwaretool,invoice,payment,transactions,transactions_items,
--          contract,contracts,equipment_manage,equipments,products_software,products_versions,users
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_interface, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'invoice', 'payment', 'transactions', 'transactions_items',
    'contract', 'contracts', 'equipment_manage', 'equipments', 'products_software',
    'products_versions', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- SERVICE ROLE PERMISSIONS
-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,equipments,
--          products_software,user,user_manage,users
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_service, rowID, 1, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
    'dashboard', 'profile', 'equipment', 'equipment_manage', 'equipments', 'products_software',
    'user', 'users'
)
ON DUPLICATE KEY UPDATE can_create = 1, can_read = 1, can_update = 1;

-- ===================================================
-- OTHER ROLE PERMISSIONS
-- Profile: application,assets,firmwaretool,histories,history,history_manage,marketing,partner,partners,
--          servicereport,servicereports,admin,dashboard,profile,equipment,equipment_manage,equipments,products_software
-- ===================================================
INSERT INTO `role_access_permissions` (`role_id`, `access_id`, `can_create`, `can_read`, `can_update`, `can_delete`)
SELECT @role_other, rowID, 0, 1, 1, 0 FROM access_elements WHERE access_path IN (
    'application', 'firmwaretool', 'histories', 'history', 'history_manage',
    'marketing', 'partner', 'partners', 'servicereport', 'servicereports',
    'dashboard', 'profile', 'equipment', 'equipment_manage', 'equipments', 'products_software'
)
ON DUPLICATE KEY UPDATE can_read = 1, can_update = 1;

-- ===================================================
-- VERIFICATION QUERIES
-- ===================================================

-- Check roles created
SELECT rowID, name, description, is_active FROM user_roles ORDER BY rowID;

-- Check permissions per role
SELECT ur.name as role_name, COUNT(rap.rowID) as permission_count
FROM user_roles ur
LEFT JOIN role_access_permissions rap ON ur.rowID = rap.role_id
GROUP BY ur.rowID, ur.name
ORDER BY ur.rowID;

-- ===================================================
-- Change ROLLBACK to COMMIT when ready to apply
-- ===================================================
COMMIT;