-- ============================================================
-- NICC Admin Menu - Migracion 0003
-- Restringir permisos de Manager
-- Manager NO tiene acceso a:
--   - Sistema y Configuracion
--   - Herramientas
--   - Configurar Menu NICC
-- ============================================================

-- Quitar permisos de manager para items de "Sistema y Configuracion"
UPDATE admin_menu_permissions
SET can_view = 0, can_execute = 0
WHERE role = 'manager'
AND item_id IN (
    SELECT i.id FROM admin_menu_items i
    JOIN admin_menu_categories c ON i.category_id = c.id
    WHERE c.code = 'system'
);

-- Quitar permisos de manager para items de "Herramientas"
UPDATE admin_menu_permissions
SET can_view = 0, can_execute = 0
WHERE role = 'manager'
AND item_id IN (
    SELECT i.id FROM admin_menu_items i
    JOIN admin_menu_categories c ON i.category_id = c.id
    WHERE c.code = 'tools'
);

-- Quitar permisos de manager para "Configurar Menu NICC"
UPDATE admin_menu_permissions
SET can_view = 0, can_execute = 0
WHERE role = 'manager'
AND item_id IN (
    SELECT id FROM admin_menu_items WHERE code = 'niccadminmenu'
);

-- Insertar item de Configurar Menu NICC si no existe
INSERT OR IGNORE INTO admin_menu_items
(category_id, code, plugin_name, name, description, icon, url, sort_order)
VALUES (
    (SELECT id FROM admin_menu_categories WHERE code = 'system'),
    'niccadminmenu',
    'niccadminmenu',
    'Configurar Menu NICC',
    'Configurar permisos del menu de administracion',
    'settings',
    '?do=admin&page=niccadminmenu',
    10
);

-- Asegurar que superuser y admin tienen acceso a Configurar Menu
INSERT OR REPLACE INTO admin_menu_permissions (item_id, role, can_view, can_execute)
SELECT id, 'superuser', 1, 1 FROM admin_menu_items WHERE code = 'niccadminmenu';

INSERT OR REPLACE INTO admin_menu_permissions (item_id, role, can_view, can_execute)
SELECT id, 'admin', 1, 1 FROM admin_menu_items WHERE code = 'niccadminmenu';

-- Asegurar que manager NO tiene acceso
INSERT OR REPLACE INTO admin_menu_permissions (item_id, role, can_view, can_execute)
SELECT id, 'manager', 0, 0 FROM admin_menu_items WHERE code = 'niccadminmenu';

-- Fin de migracion
SELECT 1;