o ŒH)j…ëã@sˆddlZddlZddlZddlmZmZddlmZddlmZm Z ddl Z ddl Z e   e ¡ZGdd„dƒZdd„Zd d „Zd d „ZdS) éN)ÚdatetimeÚ timedelta©Úwraps)ÚrequestÚjsonifyc@sèeZdZhd£ZddhZdd„Zdd„Zedd „ƒZd d „Z d d „Z dd„Z edd„ƒZ dd„Z edd„ƒZdd„Zdd„Zdd„Zedd„ƒZ      dgdd „Zdhd"d#„Zd$d%„Zdid'd(„Zd)d*„Zdjd+d,„Zdjd-d.„Zdkd/d0„Zd1d2„Zdld3d4„Zd5d6„Zd7d8„Zd9d:„Z dkd;d<„Z!d=d>„Z"dkd?d@„Z#dAdB„Z$dCdD„Z%dkdEdF„Z&dGdH„Z'dIdJ„Z(dKdL„Z)djdMdN„Z*dOdP„Z+edQdR„ƒZ, S T        dmdUdV„Z-dWdX„Z.edYdZ„ƒZ/dld[d\„Z0djd]d^„Z1d_d`„Z2dadb„Z3dcdd„Z4dedf„Z5dS)nÚ AuthHandler>ÚuserÚadminÚagentÚmanagerÚbusiness_adminr r c Cs¦||_| d¡t| dd¡ƒ| d¡| d¡| d¡tjjdœ|_| dd ¡|_d |_d |_ z |  ¡|  ¡WdSt yR}z t  d |¡WYd}~dSd}~ww) NÚDB_HOSTÚDB_PORTiê ÚDB_USERÚ DB_PASSWORDÚDB_NAME)ÚhostÚportr ÚpasswordÚdatabaseÚ cursorclassÚ SECRET_KEYz)your-secret-key-here-change-in-productionÚHS256ézMCould not ensure auth extension tables at startup (DB may be unreachable): %s)ÚconfigÚgetÚintÚpymysqlÚcursorsÚ DictCursorÚ db_configÚ jwt_secretÚ jwt_algorithmÚjwt_expiration_daysÚensure_embed_tablesÚensure_rbac_tablesÚ ExceptionÚloggerÚwarning)ÚselfrÚe©r,ú7/home/aiteam/pcaa-dev/dashboard-backend/auth_handler.pyÚ__init__s$ú €ÿzAuthHandler.__init__cCstjdi|j¤ŽS)zGet database connectionNr,)rÚconnectr!)r*r,r,r-Úget_connection%szAuthHandler.get_connectioncCsd| dd¡›dS)Nú`z``©Úreplace)Ú identifierr,r,r-Ú_quote_identifier)szAuthHandler._quote_identifiercCs| d||f¡| ¡duS)NzSELECT 1 FROM information_schema.tables WHERE table_schema = %s AND table_name = %s LIMIT 1©ÚexecuteÚfetchone)r*ÚcursorÚschemaÚ table_namer,r,r-Ú _table_exists-s û zAuthHandler._table_existscCs\d|›}| d||f¡| ¡}|r|dS| d|d|›f¡| ¡}|r,|dSdS)NÚ7987_zSELECT table_name AS name FROM information_schema.tables WHERE table_schema = %s AND table_name = %s LIMIT 1Únamez³SELECT table_name AS name FROM information_schema.tables WHERE table_schema = %s AND table_name LIKE %s ORDER BY table_name LIMIT 1z%_r6)r*r9r:ÚsuffixÚ preferredÚrowr,r,r-Ú_find_template_table7s û úz AuthHandler._find_template_tablecCs t ¡}t | d¡|¡ d¡S)zHash a password using bcryptzutf-8)ÚbcryptÚgensaltÚhashpwÚencodeÚdecode)r*rÚsaltr,r,r-Ú hash_passwordOszAuthHandler.hash_passwordcCs,|rt|tƒs dS| d¡sdSt|ƒdkS)NF)z$2a$z$2b$z$2y$é2)Ú isinstanceÚstrÚ startswithÚlen)Ú password_hashr,r,r-Ú_looks_like_bcrypt_hashTs   z#AuthHandler._looks_like_bcrypt_hashcCs| |¡sdSdS)z"Verify a password against its hashFN)rP)r*rrOr,r,r-Úverify_password]s ÿzAuthHandler.verify_passwordcCs$t|pdƒ ¡ ¡}|dkrd}|S)Nr zbusiness-adminr )rLÚstripÚlower)ÚclsÚroler,r,r-Únormalize_rolebszAuthHandler.normalize_rolecCs„dD]=}| d|f¡| ¡}|sqt|pi d¡pdƒ ¡}d|vs'd|vr?| d|›d¡| d |›d ¡t d |¡qd S) zHExpand legacy ENUM('admin','user','viewer') role columns for RBAC roles.)Úbusiness_usersÚuser_business_accesszå SELECT COLUMN_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = %s AND COLUMN_NAME = 'role' Ú COLUMN_TYPEÚÚenumÚviewerzUPDATE `z)` SET role = 'user' WHERE role = 'viewer'z ALTER TABLE `z8` MODIFY COLUMN role VARCHAR(30) NOT NULL DEFAULT 'user'z)Expanded role column on %s for RBAC rolesN)r7r8rLrrSr(Úinfo)r*r9ÚtablerAÚ column_typer,r,r-Ú_ensure_role_column_supportis&ø  ÿ ÿ €êz'AuthHandler._ensure_role_column_supportc Cs.| ¡}zzn| ¡}| |¡| d¡| d¡| d¡| d¡| d¡gd¢gd¢gd¢gd¢gd ¢d œ}d d „| ¡Dƒ}| ¡D]\}}| d ||dd…f¡qG| ¡D]\}}|D] }| d||f¡qbq\| ¡WntyŠ} z | ¡t   d| ¡‚d} ~ wwW|  ¡dS|  ¡w)zHCreate additive role/scope tables without changing existing auth tables.aJ CREATE TABLE IF NOT EXISTS permissions ( code VARCHAR(100) PRIMARY KEY, description VARCHAR(255) DEFAULT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci aÅ CREATE TABLE IF NOT EXISTS role_permissions ( role VARCHAR(30) NOT NULL, permission_code VARCHAR(100) NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (role, permission_code), INDEX idx_permission_code (permission_code) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci an CREATE TABLE IF NOT EXISTS user_agent_mapping ( id INT AUTO_INCREMENT PRIMARY KEY, user_id INT NOT NULL, bid VARCHAR(20) NOT NULL, agent_name VARCHAR(255) DEFAULT NULL, agent_phone VARCHAR(100) DEFAULT NULL, agent_extension VARCHAR(100) DEFAULT NULL, is_primary TINYINT(1) DEFAULT 0, is_active TINYINT(1) DEFAULT 1, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, UNIQUE KEY uq_user_bid_agent (user_id, bid, agent_name, agent_phone, agent_extension), INDEX idx_user_bid (user_id, bid), INDEX idx_bid_agent_name (bid, agent_name), INDEX idx_bid_agent_phone (bid, agent_phone), FOREIGN KEY (user_id) REFERENCES business_users(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci aS CREATE TABLE IF NOT EXISTS user_group_mapping ( id INT AUTO_INCREMENT PRIMARY KEY, user_id INT NOT NULL, bid VARCHAR(20) NOT NULL, groupname VARCHAR(255) NOT NULL, is_active TINYINT(1) DEFAULT 1, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, UNIQUE KEY uq_user_bid_group (user_id, bid, groupname), INDEX idx_user_bid (user_id, bid), INDEX idx_bid_group (bid, groupname), FOREIGN KEY (user_id) REFERENCES business_users(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci a. CREATE TABLE IF NOT EXISTS user_permission_overrides ( id INT AUTO_INCREMENT PRIMARY KEY, user_id INT NOT NULL, bid VARCHAR(20) NOT NULL, permission_code VARCHAR(100) NOT NULL, allowed TINYINT(1) NOT NULL, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, UNIQUE KEY uq_user_bid_permission (user_id, bid, permission_code), INDEX idx_user_bid (user_id, bid), FOREIGN KEY (user_id) REFERENCES business_users(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci )ú users.viewú users.createz users.updatez users.disablezusers.reset_passwordz roles.assignz agents.manageúcalls.view_allúcalls.view_detailúcalls.view_transcriptzcalls.edit_transcriptzcalls.delete_transcriptzcalls.reprocessúleads.view_allz leads.updateúanalytics.view_allzanalytics.leaderboardzexports.downloadz crm.managezquality.managezsettings.managezpipeline.managezaudit.view_business)raúcalls.view_teamrdreúleads.view_teamúanalytics.view_teamzanalytics.leaderboard_teamzexports.team_download)údashboard.viewrcrdrerfrg)rkúcalls.view_ownrdzcalls.view_transcript_ownúleads.view_ownúanalytics.view_ownzprofile.manage_own)r r r r r cSs,i|]}|D] }|| dd¡ dd¡“qqS)Ú_Ú Ú.z: r2)Ú.0ÚpermsÚcoder,r,r-Ú ésýþÿz2AuthHandler.ensure_rbac_tables..zBINSERT IGNORE INTO permissions (code, description) VALUES (%s, %s)NéÿzKINSERT IGNORE INTO role_permissions (role, permission_code) VALUES (%s, %s)zError ensuring RBAC tables: %s) r0r9r`r7ÚvaluesÚitemsÚcommitr'Úrollbackr(ÚerrorÚclose) r*Úconnr9Údefault_permissionsÚ descriptionsrtÚ descriptionrUrsr+r,r,r-r&ƒsN     æþþþÿ  €ýÿzAuthHandler.ensure_rbac_tablesc Cs| ¡}zzzC| ¡}| d¡dd„| ¡pgDƒ}g}d|vr%| d¡d|vr.| d¡d|vr7| d ¡|rG| d d  |¡¡| ¡Wn(typ}zt  d |¡z|  ¡Wn tyeYnwWYd }~n d }~wwW|  ¡d SW|  ¡d S|  ¡w)zBAdd bid / business_name / action_code if missing (additive ALTER).z© SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'user_activity_log' cSóh|]}|d’qS)Ú COLUMN_NAMEr,)rrÚrr,r,r-Ú ózEAuthHandler.ensure_user_activity_log_audit_columns..Úbidz'ADD COLUMN bid VARCHAR(64) DEFAULT NULLÚ business_namez2ADD COLUMN business_name VARCHAR(255) DEFAULT NULLÚ action_codez/ADD COLUMN action_code VARCHAR(32) DEFAULT NULLzALTER TABLE user_activity_log z, z.Could not extend user_activity_log columns: %sN) r0r9r7ÚfetchallÚappendÚjoinryr'r(r)rzr|)r*r}r9ÚexistingÚpartsr+r,r,r-Ú&ensure_user_activity_log_audit_columnss>ÿ   €   ÿ€ü€ €z2AuthHandler.ensure_user_activity_log_audit_columnscCsœ|sdSt|ƒ ¡ ¡}|dkrdS|dkrdS| d¡s&| d¡s&|dkr(dS| d¡s1|d kr3d Sd |vs@d |vs@| d ¡rBdSd|vsJd|vrLdSdS)NÚloginÚLOGINÚlogoutÚLOGOUTÚdeleteÚrevokeÚDELETEÚcreateÚregisterÚCREATEÚchangeÚupdateÚ_updateÚUPDATEÚretryÚ reprocessÚRETRY)rLrRrSrMÚendswith)Ú activity_typeÚtr,r,r-Ú_infer_action_code s zAuthHandler._infer_action_codeNc Cs¶| ¡| dur | |¡} | ¡} zDz|  ¡} |  d||||||||| f ¡|  ¡WntyG} zt dt | ƒ›¡WYd} ~ n d} ~ wwW|   ¡dSW|   ¡dS|   ¡w)z=Persist audit events (distinct from orchestration file logs).NzÒINSERT INTO user_activity_log (user_id, username, activity_type, description, ip_address, user_agent, bid, business_name, action_code) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)zError logging activity: ) rŽr£r0r9r7ryr'r(r{rLr|) r*Úuser_idÚusernamer¡r€Ú ip_addressÚ user_agentr†r‡rˆr}r9r+r,r,r-Ú log_activity3s8  ÷ü  €ÿÿ þzAuthHandler.log_activityFc Cs@|||||t ¡t|jdt ¡dœ}tj||j|jd}|S)z=Generate a JWT token with user info and accessible businesses)Údays)r¤r¥ÚemailÚ businessesÚ is_masterÚexpÚiat©Ú algorithm)rÚutcnowrr$ÚjwtrFr"r#)r*r¤r¥rªr«r¬ÚpayloadÚtokenr,r,r-Úgenerate_jwt_token\sù zAuthHandler.generate_jwt_tokencCsHztj||j|jgd}|WStjyYdStjy#YdSw)zDecode and validate a JWT token©Ú algorithmsN)r²rGr"r#ÚExpiredSignatureErrorÚInvalidTokenError©r*r´r³r,r,r-Údecode_jwt_tokenjsÿzAuthHandler.decode_jwt_tokenr c Cs&| ¡}z‰z[| ¡}| |¡}||jvr ddidfWW| ¡S| d||f¡| ¡r8ddidfWW| ¡S| |¡} | d||| ||||f¡| ¡|j } | ||||dœd fWW| ¡St y} z!|  ¡t   d t| ƒ›¡dt| ƒid fWYd } ~ W| ¡Sd } ~ ww| ¡w) z/Create a new user (no business assignment here)r{úAInvalid role. Use admin, business_admin, manager, user, or agent.éz?SELECT id FROM business_users WHERE username = %s OR email = %sú Username or email already existsé™z¼INSERT INTO business_users (username, email, password_hash, plain_password, full_name, role, is_master, is_active) VALUES (%s, %s, %s, %s, %s, %s, %s, TRUE))Úidr¥rªrUr¬éÉzError creating user: éôN)r0r9rVÚ VALID_ROLESr|r7r8rIryÚ lastrowidr'rzr(r{rL) r*r¥rªrÚ full_namerUr¬r}r9rOr¤r+r,r,r-Ú create_usertsL   %Þþ  æüûú û €û zAuthHandler.create_userc Cs¤| ¡}zÈzš| ¡}d}z | d¡| ¡du}Wn ty$d}Ynw| d|f¡| ¡}|s>ddidfWW| ¡S| || d¡¡}| d ¡} |sV| rV|| krVd }|sf| d¡rf|| d¡krfd }|stdd id fWW| ¡S|r„| d | |¡|||f¡n | d| |¡||f¡|  ¡ddidfWW| ¡StyÌ} z!|  ¡t   dt | ƒ›¡dt | ƒidfWYd} ~ W| ¡Sd} ~ ww| ¡w)z?Change a user's password after verifying the existing password.FzþSELECT 1 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = 'business_users' AND COLUMN_NAME = 'plain_password2' LIMIT 1Nz‰SELECT id, username, password_hash, plain_password FROM business_users WHERE id = %s AND is_active = TRUEr{úUser not foundé”rOÚplain_passwordTzPrevious password is incorrecté‘zUPDATE business_users SET password_hash = %s, plain_password = %s, plain_password2 = %s WHERE id = %szwUPDATE business_users SET password_hash = %s, plain_password = %s WHERE id = %sÚmessagezPassword changed successfullyéÈzError changing user password: rÂ)r0r9r7r8r'r|rQrrIryrzr(r{rL) r*r¤Úprevious_passwordÚ new_passwordr}r9Úhas_plain_password2r Ú password_okrÉr+r,r,r-Úchange_user_password£sbÿ ÿü "à  êüü û €û z AuthHandler.change_user_passwordcCsR| ¡}z| ¡}|r| d||f¡n| d|f¡| ¡W| ¡S| ¡w)z3Return the primary login user linked to a business.aSELECT bu.id, bu.username, bu.email, bu.plain_password FROM business_users bu JOIN user_business_access uba ON uba.user_id = bu.id WHERE uba.bid = %s AND bu.id = %s AND bu.is_active = TRUE LIMIT 1aESELECT bu.id, bu.username, bu.email, bu.plain_password FROM business_users bu JOIN user_business_access uba ON uba.user_id = bu.id WHERE uba.bid = %s AND bu.is_active = TRUE AND bu.is_master = FALSE ORDER BY bu.id ASC LIMIT 1)r0r9r7r8r|)r*r†r¤r}r9r,r,r-Úget_business_login_userâsú ù z#AuthHandler.get_business_login_userc Cs¦| ¡}zÉz›| ¡}|j||d}|sddidfWW| ¡S|d} t|p'dƒ ¡}t|p/dƒ ¡ ¡}t|p9dƒ}|sIddidfWW| ¡S|sWdd idfWW| ¡S|sedd idfWW| ¡S| d ||| f¡| ¡r~dd id fWW| ¡S| d|||  |¡|| f¡|  ¡| |||dœdœdfWW| ¡St yÍ} z!|  ¡t  dt| ƒ›¡dt| ƒidfWYd} ~ W| ¡Sd} ~ ww| ¡w)z;Master-admin update of a business login user's credentials.)r¤r{zBusiness login user not foundrÈrÀrZzUsername is requiredr½zEmail is requiredzPassword is requiredzvSELECT id FROM business_users WHERE (username = %s OR email = %s) AND id != %s LIMIT 1r¾r¿zŠUPDATE business_users SET username = %s, email = %s, password_hash = %s, plain_password = %s WHERE id = %s)r¥rrª)Úbusiness_user_idÚ credentialsrÌz%Error updating business credentials: rÂN)r0r9rÒr|rLrRrSr7r8rIryr'rzr(r{) r*r†r¥rªrr¤r}r9ÚtargetÚ target_idr+r,r,r-Ú update_business_user_credentialsþsb *Ø  #Þ !à ãü ìüýþù û €û z,AuthHandler.update_business_user_credentialsc Cs:| ¡}z“ze| ¡}| |¡}||jvr ddidfWW| ¡S| d|f¡| ¡s7ddidfWW| ¡S| d|f¡| ¡sNddidfWW| ¡S| d ||||f¡| ¡d |||d œd fWW| ¡Sty—}z!|  ¡t   d t |ƒ›¡dt |ƒidfWYd}~W| ¡Sd}~ww| ¡w)z Assign business access to a userr{r¼r½ú)SELECT bid FROM businesses WHERE bid = %súBusiness not foundrÈz+SELECT id FROM business_users WHERE id = %srÇz‹INSERT INTO user_business_access (user_id, bid, role) VALUES (%s, %s, %s) ON DUPLICATE KEY UPDATE role = %szBusiness access granted)rËr¤r†rUrÌz!Error assigning business access: rÂN) r0r9rVrÃr|r7r8ryr'rzr(r{rL)r*r¤r†rUr}r9r+r,r,r-Úassign_business_access1s<   ç ì ñ ü û €û z"AuthHandler.assign_business_accessc Csä| ¡}zhzD| ¡}| d|f¡| ¡}|D]*}| | d¡¡}| || d¡|¡}| || d¡|¡}||d<||d<||d<q|WW| ¡St yl} zt   dt | ƒ›¡gWYd} ~ W| ¡Sd} ~ ww| ¡w)z'Get all businesses accessible to a userzîSELECT b.bid, b.name, b.description, uba.role FROM user_business_access uba JOIN businesses b ON uba.bid = b.bid WHERE uba.user_id = %s AND b.is_active = TRUE ORDER BY b.namerUr†Ú permissionsÚscopezError getting user businesses: N) r0r9r7r‰rVrÚget_permissions_for_userÚget_user_scoper|r'r(r{rL) r*r¤r}r9r«ÚbusinessrUrÛrÜr+r,r,r-Úget_user_businessesWs0ú  ü €ü zAuthHandler.get_user_businessesc Csr| ¡}z.zÿ| ¡}| d||f¡| ¡}|s%ddidfWW| ¡S| || d¡¡}d} |sb| d¡} | d¡} | rG|| krGd }d } n| rR|| krRd }d } n| d¡rb|| d¡krbd }d } |spddidfWW| ¡S| r‰| |¡} | d | |d f¡t  d |d ¡|  |d ¡} |dr­| d¡|  ¡} | D] }dg|d<ddi|d<qŸ| d|d f¡|  ¡|j |d |d |d| |dd}|j|d |d dd|d ›d||dd||d |d |d|d| |d¡|d| dœd œd!fWW| ¡Sty3}z!| ¡t d"t|ƒ›¡dt|ƒid#fWYd$}~W| ¡Sd$}~ww| ¡w)%z&Authenticate user and create JWT tokenzîSELECT id, username, email, password_hash, plain_password, plain_password2, full_name, role, is_master, is_active FROM business_users WHERE (username = %s OR email = %s) AND is_active = TRUEr{zInvalid credentialsrÊrOFrÉÚplain_password2Tz:UPDATE business_users SET password_hash = %s WHERE id = %srÀz=Upgraded password hash for user %s due to legacy/invalid hashr¥r¬zŸSELECT bid, name, description, 'admin' as role FROM businesses WHERE is_active = TRUE ORDER BY nameÚ*rÛÚtypeÚallrÜz:UPDATE business_users SET last_login = NOW() WHERE id = %srª)r¤r¥rªr«r¬rzUser z logged in successfullyr)r¤r¥r¡r€r¦r§rˆrÅrU)rÀr¥rªrÅrUr¬r«)r´r rÌzError during login: rÂN)r0r9r7r8r|rQrrIr(r)ràr‰ryrµr¨rVr'rzr{rL)r*r¥rr¦r§r}r9r rÐÚ needs_upgraderÉráÚnew_hashr«rßr´r+r,r,r-rus²û _¤     J¸  þþÿ þû ù  ùþ õ û €û zAuthHandler.logincCsD| |¡}|s dS| d¡| d¡| d¡| dg¡| dd¡dœS) z)Validate a JWT token and return user infoNr¤r¥rªr«r¬F)rÀr¥rªr«r¬)r»rrºr,r,r-Úvalidate_tokençs   ûzAuthHandler.validate_tokencCs ddidfS)z8Logout user (with JWT, we just rely on token expiration)rËzLogged out successfullyrÌr,)r*r´r,r,r-r‘õs zAuthHandler.logoutc Cs²| ¡}zOz%| ¡}| d¡| ¡}|D] }| |d¡|d<q|dfWW| ¡StyS}zt dt |ƒ›¡dt |ƒidfWYd}~W| ¡Sd}~ww| ¡w) z!Get all users (master admin only)zÆSELECT id, username, email, plain_password, full_name, role, is_master, is_active, created_at, last_login FROM business_users ORDER BY created_at DESCrÀr«rÌzError getting users: r{rÂN) r0r9r7r‰ràr|r'r(r{rL)r*r}r9Úusersr r+r,r,r-Ú get_all_usersûs$ÿ  ü €ü zAuthHandler.get_all_usersc Csœ| |¡}| ¡}z?z| ¡}| d|f¡tdd„| ¡pgDƒƒWW| ¡StyH}zt  d||¡gWYd}~W| ¡Sd}~ww| ¡w)z?Return default permission codes for a role (no user overrides).ú