othman.suseno/calypso
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ec14a7dfb422d8516bb4e14c22b7b56766895302
calypso/docs/BUGFIX-PERMISSIONS.md
Warp Agent a08514b4f2 Organize documentation: move all markdown files to docs/ directory 
- Created docs/ directory for better organization
- Moved 35 markdown files from root to docs/
- Includes all status reports, guides, and testing documentation

Co-Authored-By: Warp <agent@warp.dev>
2025-12-24 20:05:40 +00:00

77 lines
2.4 KiB
Markdown
Raw Blame History

# Bug Fix: Permission Checking Issue
## Problem
The storage endpoints were returning `403 Forbidden - "insufficient permissions"` even though the admin user had the correct `storage:read` permission in the database.
## Root Cause
The `requirePermission` middleware was checking `authUser.Permissions`, but when a user was loaded via `ValidateToken()`, the `Permissions` field was empty. The permissions were never loaded from the database.
## Solution
Updated the `requirePermission` middleware to:
1. Check if permissions are already loaded in the user object
2. If not, load them on-demand from the database using the DB connection stored in the request context
3. Then perform the permission check
Also updated `requireRole` middleware for consistency.
## Changes Made
### File: `backend/internal/common/router/middleware.go`
1. **Added database import** to access the DB type
2. **Updated `requirePermission` middleware** to load permissions on-demand:
```go
// Load permissions if not already loaded
if len(authUser.Permissions) == 0 {
db, exists := c.Get("db")
if exists {
if dbConn, ok := db.(*database.DB); ok {
permissions, err := iam.GetUserPermissions(dbConn, authUser.ID)
if err == nil {
authUser.Permissions = permissions
}
}
}
}
```
3. **Updated `requireRole` middleware** similarly to load roles on-demand
### File: `backend/internal/common/router/router.go`
1. **Added middleware** to store DB in context for permission middleware:
```go
protected.Use(func(c *gin.Context) {
// Store DB in context for permission middleware
c.Set("db", db)
c.Next()
})
```
## Testing
After this fix, the storage endpoints should work correctly:
```bash
# This should now return 200 OK instead of 403
curl http://localhost:8080/api/v1/storage/disks \
-H "Authorization: Bearer $TOKEN"
```
## Impact
- ✅ Storage endpoints now work correctly
- ✅ Permission checking is more robust (lazy loading)
- ✅ No performance impact (permissions cached in user object for the request)
- ✅ Consistent behavior between role and permission checks
## Related Files
- `backend/internal/common/router/middleware.go` - Permission middleware
- `backend/internal/common/router/router.go` - Router setup
- `backend/internal/iam/user.go` - User and permission retrieval functions
Reference in New Issue View Git Blame Copy Permalink