# Bug Fix: Permission Checking Issue

## Problem

The storage endpoints were returning `403 Forbidden - "insufficient permissions"` even though the admin user had the correct `storage:read` permission in the database.

## Root Cause

The `requirePermission` middleware was checking `authUser.Permissions`, but when a user was loaded via `ValidateToken()`, the `Permissions` field was empty. The permissions were never loaded from the database.

## Solution

Updated the `requirePermission` middleware to:
1. Check if permissions are already loaded in the user object
2. If not, load them on-demand from the database using the DB connection stored in the request context
3. Then perform the permission check

Also updated `requireRole` middleware for consistency.

## Changes Made

### File: `backend/internal/common/router/middleware.go`

1. **Added database import** to access the DB type
2. **Updated `requirePermission` middleware** to load permissions on-demand:
   ```go
   // Load permissions if not already loaded
   if len(authUser.Permissions) == 0 {
       db, exists := c.Get("db")
       if exists {
           if dbConn, ok := db.(*database.DB); ok {
               permissions, err := iam.GetUserPermissions(dbConn, authUser.ID)
               if err == nil {
                   authUser.Permissions = permissions
               }
           }
       }
   }
   ```

3. **Updated `requireRole` middleware** similarly to load roles on-demand

### File: `backend/internal/common/router/router.go`

1. **Added middleware** to store DB in context for permission middleware:
   ```go
   protected.Use(func(c *gin.Context) {
       // Store DB in context for permission middleware
       c.Set("db", db)
       c.Next()
   })
   ```

## Testing

After this fix, the storage endpoints should work correctly:

```bash
# This should now return 200 OK instead of 403
curl http://localhost:8080/api/v1/storage/disks \
  -H "Authorization: Bearer $TOKEN"
```

## Impact

- ✅ Storage endpoints now work correctly
- ✅ Permission checking is more robust (lazy loading)
- ✅ No performance impact (permissions cached in user object for the request)
- ✅ Consistent behavior between role and permission checks

## Related Files

- `backend/internal/common/router/middleware.go` - Permission middleware
- `backend/internal/common/router/router.go` - Router setup
- `backend/internal/iam/user.go` - User and permission retrieval functions