feat: add permission checks for subscription and implement user permission retrieval

controller/abonemments/AbonemmentController.js

@@ -1,4 +1,5 @@
 const AbonemmentService = require('../../services/abonemments/AbonemmentService');
+const PermissionService = require('../../services/permissions/PermissionService');
 const service = new AbonemmentService();
 
 module.exports = {
@@ -9,6 +10,12 @@ module.exports = {
       const actorUser = { ...rawUser, id: rawUser.id ?? rawUser.userId ?? null };
       console.log('[CONTROLLER SUBSCRIBE] Normalized actorUser:', { id: actorUser.id, email: actorUser.email, role: actorUser.role });
 
+      // Permission check: user must have can_subscribe
+      const hasPermission = await PermissionService.userHasPermission(actorUser.id, 'can_subscribe');
+      if (!hasPermission) {
+        return res.status(403).json({ success: false, message: 'You do not have permission to complete a subscription.' });
+      }
+
       const result = await service.subscribeOrder({
         userId: actorUser.id || null,
         items: req.body.items,

scripts/initPermissions.js

@@ -39,8 +39,12 @@ const REQUIRED_PERMISSIONS = [
     name: 'can_create_referrals',
     description: 'User can create referral links',
     is_active: true
+  },
+  {
+    name: 'can_subscribe',
+    description: 'User can complete a subscription',
+    is_active: true
   }
-  // Add more permissions here as needed
 ];
 
 async function ensurePermissions() {

services/permissions/PermissionService.js

@@ -1,7 +1,25 @@
 const PermissionRepository = require('../../repositories/permissions/PermissionRepository');
+const db = require('../../database/database');
 const { logger } = require('../../middleware/logger');
 
 class PermissionService {
+  static async userHasPermission(userId, permissionName) {
+    if (!userId || !permissionName) return false;
+    try {
+      const [rows] = await db.query(
+        `SELECT 1 FROM user_permissions up
+         JOIN permissions p ON up.permission_id = p.id
+         WHERE up.user_id = ? AND p.name = ? AND p.is_active = TRUE
+         LIMIT 1`,
+        [userId, permissionName]
+      );
+      return rows.length > 0;
+    } catch (error) {
+      logger.error('PermissionService.userHasPermission:error', { userId, permissionName, error: error.message });
+      return false;
+    }
+  }
+
   static async getAllPermissions(unitOfWork) {
     logger.info('PermissionService.getAllPermissions:start');
     try {