ROLAC/API/ROLAC.API/Entities/RolePermission.cs

namespace ROLAC.API.Entities;

/// <summary>
/// One row per (Role × Module). Stores what the role may do on that module.
/// The effective permission for a user is the boolean OR of these flags across
/// all of the user's roles. <c>super_admin</c> is never stored here — it bypasses
/// permission checks entirely (see PermissionAuthorizationHandler).
/// </summary>
public class RolePermission
{
    public int Id { get; set; }

    /// <summary>FK to AspNetRoles.Id.</summary>
    public string RoleId { get; set; } = null!;

    /// <summary>Module constant name (see <see cref="Authorization.Modules"/>).</summary>
    public string Module { get; set; } = null!;

    public bool CanRead    { get; set; }
    public bool CanWrite   { get; set; }
    public bool CanDelete  { get; set; }
    public bool CanApprove { get; set; }

    public AppRole Role { get; set; } = null!;
}