othman.suseno/calypso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
calypso/docs/BUGFIX-PERMISSIONS.md
Warp Agent a08514b4f2 Organize documentation: move all markdown files to docs/ directory 
- Created docs/ directory for better organization
- Moved 35 markdown files from root to docs/
- Includes all status reports, guides, and testing documentation

Co-Authored-By: Warp <agent@warp.dev>
2025-12-24 20:05:40 +00:00

2.4 KiB
Raw Permalink Blame History

Bug Fix: Permission Checking Issue

Problem

The storage endpoints were returning 403 Forbidden - "insufficient permissions" even though the admin user had the correct storage:read permission in the database.

Root Cause

The requirePermission middleware was checking authUser.Permissions, but when a user was loaded via ValidateToken(), the Permissions field was empty. The permissions were never loaded from the database.

Solution

Updated the requirePermission middleware to:

  1. Check if permissions are already loaded in the user object
  2. If not, load them on-demand from the database using the DB connection stored in the request context
  3. Then perform the permission check

Also updated requireRole middleware for consistency.

Changes Made

File: backend/internal/common/router/middleware.go

  1. Added database import to access the DB type

  2. Updated requirePermission middleware to load permissions on-demand:

    // Load permissions if not already loaded
if len(authUser.Permissions) == 0 {
    db, exists := c.Get("db")
    if exists {
        if dbConn, ok := db.(*database.DB); ok {
            permissions, err := iam.GetUserPermissions(dbConn, authUser.ID)
            if err == nil {
                authUser.Permissions = permissions
            }
        }
    }
}

  3. Updated requireRole middleware similarly to load roles on-demand

File: backend/internal/common/router/router.go

  1. Added middleware to store DB in context for permission middleware: 
    protected.Use(func(c *gin.Context) {
    // Store DB in context for permission middleware
    c.Set("db", db)
    c.Next()
})

Testing

After this fix, the storage endpoints should work correctly:

# This should now return 200 OK instead of 403
curl http://localhost:8080/api/v1/storage/disks \
  -H "Authorization: Bearer $TOKEN"

Impact

  • Storage endpoints now work correctly
  • Permission checking is more robust (lazy loading)
  • No performance impact (permissions cached in user object for the request)
  • Consistent behavior between role and permission checks

Related Files

  • backend/internal/common/router/middleware.go - Permission middleware
  • backend/internal/common/router/router.go - Router setup
  • backend/internal/iam/user.go - User and permission retrieval functions