# Plan: Store and Product Management Refactoring (RBAC Hardening)

This plan outlines the implementation of stricter role-based access control (RBAC) for Store and Product management, following the "Big 3" hierarchy and supporting multiple store managers.

## 🏗️ Technical Approach

### 1. Data Architecture: Multiple Store Managers
- **New Table**: `store_managers`
    - `id` (INT)
    - `hashkey` (VARCHAR 300, unique)
    - `store_id` (INT, foreign key to `str`)
    - `user_id` (INT, foreign key to `users`)
    - `created_by` (INT)
    - `updated_by` (INT)
    - `is_active` (BOOLEAN, default true)
    - `created_at`, `updated_at`
- **Model**: `App\Models\Market\StoreManager`
- **Relationship**: `Store` hasMany `StoreManager` (and `belongsToMany` via `users`).

### 2. RBAC: The "Big 3"
- **Definition**: `ULTIMATE`, `SUPER_OPERATOR`, `OPERATOR`.
- **Global Access**: The Big 3 can list, view, and manage ANY store.
- **Hierarchy Access**: Other roles (e.g., Coordinator, Supplier Overseer) can only list or manage stores where they are a direct or indirect parent of the Store Owner OR any of the Store Managers.
- **Global Product Editing**: Restrict `ModifyAllProducts` action to only the Big 3.

### 3. Controller Refactoring
- **StoreController**:
    - `listStores_Admin`: Implement strict hierarchy-based filtering for non-Big 3 users.
    - `update`: Enforce hierarchy-based check to prevent unauthorized modifications.
    - `viewStoreDetails`: Ensure correct "can_edit" flag based on hierarchy.
- **ProductController**:
    - `editProductAdmin`: Change global edit logic - allow ONLY Big 3 to edit global product fields. Remove the "creator can edit globally" for non-Big 3 if they don't have the permission.
    - `AssignProductToOwnStore`: Update to include check for multiple managers.

## 🛠️ Components to Update

### Backend
- `app/Http/Controllers/Market/StoreController.php`
- `app/Http/Controllers/Market/ProductController.php`
- `app/Http/Controllers/Helpers/Permissions/ProductPermissions.php`
- `app/Http/Controllers/Helpers/Permissions/UserPermissions.php`
- `app/Models/Market/Store.php`
- `app/Models/Market/StoreManager.php` (New)

### Frontend
- `resources/js/Pages/CreateStore.vue`: Add multi-manager selection.
- `resources/js/Pages/EditStore.vue`: Update management UI.
- `resources/js/Pages/ManageProductAdmin.vue`: Enforce global edit restrictions in the UI.

## 📅 Phases

1. **Phase 1: Database and Models** (Migration and StoreManager model).
2. **Phase 2: RBAC Logic Hardening** (Update Permissions helpers).
3. **Phase 3: Store Management Refactoring** (Hierarchy-based filtering).
4. **Phase 4: Product Management Refactoring** (Global edit restrictions).
5. **Phase 5: UI Integration** (Multi-manager picker and permission guards).