Merge remote-tracking branch 'origin/master'

svc/middlewares/authz_v2.go

@@ -70,6 +70,13 @@ var routeMetaFallback = map[string]routeMeta{
 	"GET /api/product-stock-query-by-attributes": {module: "order", action: "view"},
 }
 
+var userLookupPaths = map[string]struct{}{
+	"/api/lookups/roles":       {},
+	"/api/lookups/departments": {},
+	"/api/lookups/piyasalar":   {},
+	"/api/lookups/nebim-users": {},
+}
+
 // =====================================================
 // 🌍 GLOBAL SCOPE CACHE (for invalidation)
 // =====================================================
@@ -859,6 +866,36 @@ func intersect(a, b []string) []string {
 
 	return out
 }
+
+func isUserLookupPath(pathTemplate string) bool {
+	_, ok := userLookupPaths[pathTemplate]
+	return ok
+}
+
+func resolveAnyUserCrudPermission(
+	repo *permissions.PermissionRepository,
+	userID int64,
+	roleID int64,
+	departmentCodes []string,
+) (bool, error) {
+	for _, action := range []string{"view", "insert", "update"} {
+		allowed, err := repo.ResolvePermissionChain(
+			userID,
+			roleID,
+			departmentCodes,
+			"user",
+			action,
+		)
+		if err != nil {
+			return false, err
+		}
+		if allowed {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 
 	return func(next http.Handler) http.Handler {
@@ -993,6 +1030,25 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 				return
 			}
 
+			if !allowed && isUserLookupPath(pathTemplate) {
+				allowed, err = resolveAnyUserCrudPermission(
+					repo,
+					int64(claims.ID),
+					int64(claims.RoleID),
+					claims.DepartmentCodes,
+				)
+				if err != nil {
+					log.Printf(
+						"❌ AUTHZ: user lookup fallback resolve error user=%d path=%s err=%v",
+						claims.ID,
+						pathTemplate,
+						err,
+					)
+					http.Error(w, "forbidden", http.StatusForbidden)
+					return
+				}
+			}
+
 			if !allowed {
 
 				log.Printf(