feat: add permission checks for subscription and implement user permission retrieval

2026-03-11 22:27:31 +01:00 · 2026-03-11 22:27:31 +01:00 · c7895c5333
commit c7895c5333
parent f85d01af8d
3 changed files with 30 additions and 1 deletions
--- a/controller/abonemments/AbonemmentController.js
+++ b/controller/abonemments/AbonemmentController.js
@ -1,4 +1,5 @@
 const AbonemmentService = require('../../services/abonemments/AbonemmentService');
+const PermissionService = require('../../services/permissions/PermissionService');
 const service = new AbonemmentService();

 module.exports = {
@ -9,6 +10,12 @@ module.exports = {
      const actorUser = { ...rawUser, id: rawUser.id ?? rawUser.userId ?? null };
      console.log('[CONTROLLER SUBSCRIBE] Normalized actorUser:', { id: actorUser.id, email: actorUser.email, role: actorUser.role });

+      // Permission check: user must have can_subscribe
+      const hasPermission = await PermissionService.userHasPermission(actorUser.id, 'can_subscribe');
+      if (!hasPermission) {
+        return res.status(403).json({ success: false, message: 'You do not have permission to complete a subscription.' });
+      }
+
      const result = await service.subscribeOrder({
        userId: actorUser.id || null,
        items: req.body.items,
--- a/scripts/initPermissions.js
+++ b/scripts/initPermissions.js
@ -39,8 +39,12 @@ const REQUIRED_PERMISSIONS = [
    name: 'can_create_referrals',
    description: 'User can create referral links',
    is_active: true
+  },
+  {
+    name: 'can_subscribe',
+    description: 'User can complete a subscription',
+    is_active: true
  }
-  // Add more permissions here as needed
 ];

 async function ensurePermissions() {
--- a/services/permissions/PermissionService.js
+++ b/services/permissions/PermissionService.js
@ -1,7 +1,25 @@
 const PermissionRepository = require('../../repositories/permissions/PermissionRepository');
+const db = require('../../database/database');
 const { logger } = require('../../middleware/logger');

 class PermissionService {
+  static async userHasPermission(userId, permissionName) {
+    if (!userId || !permissionName) return false;
+    try {
+      const [rows] = await db.query(
+        `SELECT 1 FROM user_permissions up
+         JOIN permissions p ON up.permission_id = p.id
+         WHERE up.user_id = ? AND p.name = ? AND p.is_active = TRUE
+         LIMIT 1`,
+        [userId, permissionName]
+      );
+      return rows.length > 0;
+    } catch (error) {
+      logger.error('PermissionService.userHasPermission:error', { userId, permissionName, error: error.message });
+      return false;
+    }
+  }
+
  static async getAllPermissions(unitOfWork) {
    logger.info('PermissionService.getAllPermissions:start');
    try {