Add role control

APP/src/app/core/models/permission.model.ts

@@ -0,0 +1,65 @@
+/** Effective action flags for one module — mirrors the C# ModuleActions DTO. */
+export interface ModuleActions {
+    read: boolean;
+    write: boolean;
+    delete: boolean;
+    approve: boolean;
+    /** Computed server-side (true if any flag is set). */
+    any?: boolean;
+}
+
+export type PermissionAction = 'read' | 'write' | 'delete' | 'approve';
+
+/**
+ * Canonical module names — must match the C# ROLAC.API.Authorization.Modules constants
+ * (PascalCase). Used by the permission directive, guard, nav, and admin page.
+ */
+export const PermissionModules = {
+    Members:           'Members',
+    Users:             'Users',
+    Givings:           'Givings',
+    GivingCategories:  'GivingCategories',
+    Expenses:          'Expenses',
+    ExpenseCategories: 'ExpenseCategories',
+    OfferingSessions:  'OfferingSessions',
+    Ministries:        'Ministries',
+    FinanceDashboard:  'FinanceDashboard',
+    MonthlyStatements: 'MonthlyStatements',
+    ChurchProfile:     'ChurchProfile',
+    Disbursements:     'Disbursements',
+    MealAttendance:    'MealAttendance',
+    Permissions:       'Permissions',
+} as const;
+
+/** A required permission, used in route data and the *appHasPermission directive. */
+export interface PermissionRequirement {
+    module: string;
+    action: PermissionAction;
+}
+
+// ── Admin matrix DTOs (mirror C# DTOs.Permissions) ────────────────────────────
+
+export interface ModulePermissionDto {
+    module: string;
+    canRead: boolean;
+    canWrite: boolean;
+    canDelete: boolean;
+    canApprove: boolean;
+}
+
+export interface RolePermissionRow {
+    roleName: string;
+    description?: string;
+    isSuperAdmin: boolean;
+    modules: ModulePermissionDto[];
+}
+
+export interface PermissionMatrixDto {
+    allModules: string[];
+    allActions: string[];
+    roles: RolePermissionRow[];
+}
+
+export interface UpdateRolePermissionsRequest {
+    modules: ModulePermissionDto[];
+}