Merge remote-tracking branch 'origin/master'

2026-03-04 17:59:14 +03:00
parent b1150c5ef7
commit 94244b194a
7 changed files with 506 additions and 46 deletions
--- a/svc/middlewares/authz_v2.go
+++ b/svc/middlewares/authz_v2.go
@@ -57,6 +57,19 @@ type ttlCache struct {
 	m   map[string]cacheItem
 }

+type routeMeta struct {
+	module string
+	action string
+}
+
+var routeMetaCache sync.Map
+
+var routeMetaFallback = map[string]routeMeta{
+	"GET /api/product-images":                    {module: "order", action: "view"},
+	"GET /api/product-images/{id}/content":       {module: "order", action: "view"},
+	"GET /api/product-stock-query-by-attributes": {module: "order", action: "view"},
+}
+
 // =====================================================
 // 🌍 GLOBAL SCOPE CACHE (for invalidation)
 // =====================================================
@@ -912,35 +925,40 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			}

 			// =====================================================
-			// 3️⃣ ROUTE LOOKUP (path + method)
+			// 3️⃣ ROUTE LOOKUP (path + method) with cache+fallback
 			// =====================================================
 			var module, action string
+			routeKey := r.Method + " " + pathTemplate

-			err = pg.QueryRow(`
-				SELECT module_code, action
-				FROM mk_sys_routes
-				WHERE path = $1
-				  AND method = $2
-			`,
-				pathTemplate,
-				r.Method,
-			).Scan(&module, &action)
-
-			if err != nil {
-
-				log.Printf(
-					"❌ AUTHZ: route not registered: %s %s",
-					r.Method,
+			if cached, ok := routeMetaCache.Load(routeKey); ok {
+				meta := cached.(routeMeta)
+				module, action = meta.module, meta.action
+			} else {
+				err = pg.QueryRow(`
+					SELECT module_code, action
+					FROM mk_sys_routes
+					WHERE path = $1
+					  AND method = $2
+				`,
 					pathTemplate,
-				)
+					r.Method,
+				).Scan(&module, &action)

-				if pathTemplate == "/api/password/change" {
-					http.Error(w, "password change route permission not found", http.StatusForbidden)
+				if err == nil {
+					routeMetaCache.Store(routeKey, routeMeta{module: module, action: action})
+				} else if fb, ok := routeMetaFallback[routeKey]; ok {
+					module, action = fb.module, fb.action
+					routeMetaCache.Store(routeKey, fb)
+					log.Printf("⚠️ AUTHZ: route lookup fallback used: %s", routeKey)
+				} else if err == sql.ErrNoRows {
+					log.Printf("❌ AUTHZ: route not registered: %s %s", r.Method, pathTemplate)
+					http.Error(w, "route permission not found", http.StatusForbidden)
+					return
+				} else {
+					log.Printf("❌ AUTHZ: route lookup db error: %s %s err=%v", r.Method, pathTemplate, err)
+					http.Error(w, "permission lookup failed", http.StatusInternalServerError)
 					return
 				}
-
-				http.Error(w, "route permission not found", http.StatusForbidden)
-				return
 			}

 			// =====================================================