-- ============================================================================
-- Fix All Permission Codes to Match Backend Code
-- This migration adds all missing permissions that the code actually checks for
-- ============================================================================

BEGIN;

-- ============================================================================
-- Delete old incorrect permissions and role mappings
-- ============================================================================

DELETE FROM role_permissions;
DELETE FROM permissions;

-- ============================================================================
-- Create ALL permissions that backend code actually checks for
-- ============================================================================

INSERT INTO permissions (id, code, name, description, module, created_at)
VALUES
    -- Users Permissions
    (gen_random_uuid(), 'users.view', 'View Users', 'View user list and profiles', 'users', NOW()),
    (gen_random_uuid(), 'users.create', 'Create Users', 'Create new users', 'users', NOW()),
    (gen_random_uuid(), 'users.edit', 'Edit Users', 'Edit user information', 'users', NOW()),
    (gen_random_uuid(), 'users.approve', 'Approve Users', 'Approve pending memberships', 'users', NOW()),
    (gen_random_uuid(), 'users.import', 'Import Users', 'Import users from CSV', 'users', NOW()),
    (gen_random_uuid(), 'users.export', 'Export Users', 'Export users to CSV', 'users', NOW()),
    (gen_random_uuid(), 'users.status', 'Change User Status', 'Update user status', 'users', NOW()),
    (gen_random_uuid(), 'users.reset_password', 'Reset User Password', 'Reset user passwords', 'users', NOW()),
    (gen_random_uuid(), 'users.resend_verification', 'Resend Verification', 'Resend email verification', 'users', NOW()),

    -- Events Permissions
    (gen_random_uuid(), 'events.view', 'View Events', 'View event list', 'events', NOW()),
    (gen_random_uuid(), 'events.create', 'Create Events', 'Create new events', 'events', NOW()),
    (gen_random_uuid(), 'events.edit', 'Edit Events', 'Edit event information', 'events', NOW()),
    (gen_random_uuid(), 'events.delete', 'Delete Events', 'Delete events', 'events', NOW()),
    (gen_random_uuid(), 'events.rsvps', 'View RSVPs', 'View event RSVPs', 'events', NOW()),
    (gen_random_uuid(), 'events.attendance', 'Manage Attendance', 'Mark attendance', 'events', NOW()),

    -- Gallery Permissions
    (gen_random_uuid(), 'gallery.upload', 'Upload Photos', 'Upload event photos', 'gallery', NOW()),
    (gen_random_uuid(), 'gallery.edit', 'Edit Gallery', 'Edit photo captions', 'gallery', NOW()),
    (gen_random_uuid(), 'gallery.delete', 'Delete Photos', 'Delete event photos', 'gallery', NOW()),

    -- Subscriptions Permissions
    (gen_random_uuid(), 'subscriptions.view', 'View Subscriptions', 'View user subscriptions', 'subscriptions', NOW()),
    (gen_random_uuid(), 'subscriptions.plans', 'Manage Plans', 'Manage subscription plans', 'subscriptions', NOW()),
    (gen_random_uuid(), 'subscriptions.edit', 'Edit Subscriptions', 'Edit user subscriptions', 'subscriptions', NOW()),
    (gen_random_uuid(), 'subscriptions.cancel', 'Cancel Subscriptions', 'Cancel subscriptions', 'subscriptions', NOW()),
    (gen_random_uuid(), 'subscriptions.activate', 'Activate Subscriptions', 'Manually activate subscriptions', 'subscriptions', NOW()),
    (gen_random_uuid(), 'subscriptions.export', 'Export Subscriptions', 'Export subscription data', 'subscriptions', NOW()),

    -- Donations Permissions
    (gen_random_uuid(), 'donations.view', 'View Donations', 'View donation records', 'donations', NOW()),
    (gen_random_uuid(), 'donations.export', 'Export Donations', 'Export donation data', 'donations', NOW()),

    -- Financials Permissions (Financial Reports)
    (gen_random_uuid(), 'financials.create', 'Create Financial Reports', 'Upload financial reports', 'financials', NOW()),
    (gen_random_uuid(), 'financials.edit', 'Edit Financial Reports', 'Edit financial reports', 'financials', NOW()),
    (gen_random_uuid(), 'financials.delete', 'Delete Financial Reports', 'Delete financial reports', 'financials', NOW()),

    -- Newsletters Permissions
    (gen_random_uuid(), 'newsletters.create', 'Create Newsletters', 'Upload newsletter archives', 'newsletters', NOW()),
    (gen_random_uuid(), 'newsletters.edit', 'Edit Newsletters', 'Edit newsletter archives', 'newsletters', NOW()),
    (gen_random_uuid(), 'newsletters.delete', 'Delete Newsletters', 'Delete newsletter archives', 'newsletters', NOW()),

    -- Bylaws Permissions
    (gen_random_uuid(), 'bylaws.create', 'Create Bylaws', 'Upload bylaws documents', 'bylaws', NOW()),
    (gen_random_uuid(), 'bylaws.edit', 'Edit Bylaws', 'Edit bylaws documents', 'bylaws', NOW()),
    (gen_random_uuid(), 'bylaws.delete', 'Delete Bylaws', 'Delete bylaws documents', 'bylaws', NOW()),

    -- Settings Permissions
    (gen_random_uuid(), 'settings.storage', 'View Storage Usage', 'View storage usage statistics', 'settings', NOW())
ON CONFLICT (code) DO NOTHING;

-- ============================================================================
-- Assign Permissions to Roles
-- ============================================================================

-- Guest Role: No permissions
-- (Members can only view their own data through different endpoints)

-- Member Role: Basic viewing only
INSERT INTO role_permissions (id, role, role_id, permission_id, created_at)
SELECT
    gen_random_uuid(),
    'member',
    (SELECT id FROM roles WHERE code = 'member'),
    p.id,
    NOW()
FROM permissions p
WHERE p.code IN (
    'events.view'
)
ON CONFLICT DO NOTHING;

-- Admin Role: Full management except financial
INSERT INTO role_permissions (id, role, role_id, permission_id, created_at)
SELECT
    gen_random_uuid(),
    'admin',
    (SELECT id FROM roles WHERE code = 'admin'),
    p.id,
    NOW()
FROM permissions p
WHERE p.code IN (
    -- User Management
    'users.view', 'users.create', 'users.edit', 'users.approve', 'users.import',
    'users.export', 'users.status', 'users.reset_password', 'users.resend_verification',

    -- Event Management
    'events.view', 'events.create', 'events.edit', 'events.delete', 'events.rsvps', 'events.attendance',

    -- Gallery
    'gallery.upload', 'gallery.edit', 'gallery.delete',

    -- Content
    'newsletters.create', 'newsletters.edit', 'newsletters.delete',
    'bylaws.create', 'bylaws.edit', 'bylaws.delete',

    -- Settings
    'settings.storage'
)
ON CONFLICT DO NOTHING;

-- Finance Role: Financial permissions + basic viewing
INSERT INTO role_permissions (id, role, role_id, permission_id, created_at)
SELECT
    gen_random_uuid(),
    'finance',
    (SELECT id FROM roles WHERE code = 'finance'),
    p.id,
    NOW()
FROM permissions p
WHERE p.code IN (
    -- Subscriptions & Donations
    'subscriptions.view', 'subscriptions.plans', 'subscriptions.edit',
    'subscriptions.cancel', 'subscriptions.activate', 'subscriptions.export',
    'donations.view', 'donations.export',

    -- Financial Reports
    'financials.create', 'financials.edit', 'financials.delete',

    -- Basic Access
    'users.view',
    'events.view'
)
ON CONFLICT DO NOTHING;

-- Superadmin Role: ALL permissions
INSERT INTO role_permissions (id, role, role_id, permission_id, created_at)
SELECT
    gen_random_uuid(),
    'superadmin',
    (SELECT id FROM roles WHERE code = 'superadmin'),
    p.id,
    NOW()
FROM permissions p
ON CONFLICT DO NOTHING;

COMMIT;

\echo '✅ All permissions fixed!'
\echo ''
\echo 'Permission counts by role:'
\echo '  - Guest: 0'
\echo '  - Member: 1'
\echo '  - Admin: ~25'
\echo '  - Finance: ~13'
\echo '  - Superadmin: ALL (40 total)'
\echo ''
\echo 'Next: Restart backend with: pm2 restart membership-backend'