From c7895c5333ef4a867a89d0502a43b2cb293a4d26 Mon Sep 17 00:00:00 2001
From: seaznCode <alexander.atmn@gmail.com>
Date: Wed, 11 Mar 2026 22:27:31 +0100
Subject: [PATCH] feat: add permission checks for subscription and implement
 user permission retrieval

---
 controller/abonemments/AbonemmentController.js |  7 +++++++
 scripts/initPermissions.js                     |  6 +++++-
 services/permissions/PermissionService.js      | 18 ++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/controller/abonemments/AbonemmentController.js b/controller/abonemments/AbonemmentController.js
index 3a83123..a8031c2 100644
--- a/controller/abonemments/AbonemmentController.js
+++ b/controller/abonemments/AbonemmentController.js
@@ -1,4 +1,5 @@
 const AbonemmentService = require('../../services/abonemments/AbonemmentService');
+const PermissionService = require('../../services/permissions/PermissionService');
 const service = new AbonemmentService();
 
 module.exports = {
@@ -9,6 +10,12 @@ module.exports = {
       const actorUser = { ...rawUser, id: rawUser.id ?? rawUser.userId ?? null };
       console.log('[CONTROLLER SUBSCRIBE] Normalized actorUser:', { id: actorUser.id, email: actorUser.email, role: actorUser.role });
 
+      // Permission check: user must have can_subscribe
+      const hasPermission = await PermissionService.userHasPermission(actorUser.id, 'can_subscribe');
+      if (!hasPermission) {
+        return res.status(403).json({ success: false, message: 'You do not have permission to complete a subscription.' });
+      }
+
       const result = await service.subscribeOrder({
         userId: actorUser.id || null,
         items: req.body.items,
diff --git a/scripts/initPermissions.js b/scripts/initPermissions.js
index 0d9b9a0..169a4d5 100644
--- a/scripts/initPermissions.js
+++ b/scripts/initPermissions.js
@@ -39,8 +39,12 @@ const REQUIRED_PERMISSIONS = [
     name: 'can_create_referrals',
     description: 'User can create referral links',
     is_active: true
+  },
+  {
+    name: 'can_subscribe',
+    description: 'User can complete a subscription',
+    is_active: true
   }
-  // Add more permissions here as needed
 ];
 
 async function ensurePermissions() {
diff --git a/services/permissions/PermissionService.js b/services/permissions/PermissionService.js
index 4adabbc..40be6e6 100644
--- a/services/permissions/PermissionService.js
+++ b/services/permissions/PermissionService.js
@@ -1,7 +1,25 @@
 const PermissionRepository = require('../../repositories/permissions/PermissionRepository');
+const db = require('../../database/database');
 const { logger } = require('../../middleware/logger');
 
 class PermissionService {
+  static async userHasPermission(userId, permissionName) {
+    if (!userId || !permissionName) return false;
+    try {
+      const [rows] = await db.query(
+        `SELECT 1 FROM user_permissions up
+         JOIN permissions p ON up.permission_id = p.id
+         WHERE up.user_id = ? AND p.name = ? AND p.is_active = TRUE
+         LIMIT 1`,
+        [userId, permissionName]
+      );
+      return rows.length > 0;
+    } catch (error) {
+      logger.error('PermissionService.userHasPermission:error', { userId, permissionName, error: error.message });
+      return false;
+    }
+  }
+
   static async getAllPermissions(unitOfWork) {
     logger.info('PermissionService.getAllPermissions:start');
     try {