From 658fa8f9a2b7793295d666c9ea6720dcd5520a81 Mon Sep 17 00:00:00 2001
From: medcl <m@medcl.net>
Date: Wed, 3 Jun 2026 18:38:15 +0800
Subject: [PATCH] chore: fix permission cache

---
 core/security/cache.go               |  1 +
 core/security/filters/auth.go        |  6 ++++++
 core/security/permission_registry.go |  4 ++++
 core/security/user_permission.go     | 15 +++++++++++++++
 4 files changed, 26 insertions(+)

diff --git a/core/security/cache.go b/core/security/cache.go
index c15232836..dca5ac274 100644
--- a/core/security/cache.go
+++ b/core/security/cache.go
@@ -30,6 +30,7 @@ func GetUserPermissions(shortUser *UserSessionInfo) *UserAssignedPermission {
 				if ok {
 					if !x.NeedRefresh() {
 						shortUser.UserAssignedPermission = x
+						shortUser.Permissions = x.GetPermissionKeys()
 						if global.Env().IsDebug {
 							log.Trace("hit permission cache")
 							x.Dump()
diff --git a/core/security/filters/auth.go b/core/security/filters/auth.go
index 3a0b677e7..67147c55f 100644
--- a/core/security/filters/auth.go
+++ b/core/security/filters/auth.go
@@ -53,6 +53,12 @@ func (f *AuthFilter) ApplyFilter(
 			if resolverErr := security.RunRequestContextResolvers(r.Context(), r, claims); resolverErr != nil {
 				log.Warn("request context resolver error: ", resolverErr)
 			}
+
+			//proactive update permission on auth check
+			if claims.UserAssignedPermission == nil || claims.UserAssignedPermission.NeedRefresh() {
+				claims.UserAssignedPermission = security.GetUserPermissions(claims)
+			}
+
 			r = r.WithContext(security.AddUserToContext(r.Context(), claims))
 		}
 
diff --git a/core/security/permission_registry.go b/core/security/permission_registry.go
index da852ac04..36be89749 100644
--- a/core/security/permission_registry.go
+++ b/core/security/permission_registry.go
@@ -147,6 +147,10 @@ func MustRegisterPermissionByKey(key PermissionKey) PermissionID {
 	return permissionRegistry.MustGetPermissionIDByKey(key)
 }
 
+func MustGetPermissionKey(id PermissionID) PermissionKey {
+	return permissionRegistry.MustGetPermissionKeyByID(id)
+}
+
 func MustRegisterPermissionByKeys(key []PermissionKey) []PermissionID {
 	v := []PermissionID{}
 	for _, k := range key {
diff --git a/core/security/user_permission.go b/core/security/user_permission.go
index 46ab555a3..5c65c863f 100644
--- a/core/security/user_permission.go
+++ b/core/security/user_permission.go
@@ -81,6 +81,21 @@ func (p *UserAssignedPermission) Dump() {
 	}
 }
 
+func (p *UserAssignedPermission) GetPermissionKeys() []PermissionKey {
+	keys := []PermissionKey{}
+	if p.AllowedPermissions != nil {
+		iter := p.AllowedPermissions.Iterator()
+		for iter.HasNext() {
+			id := PermissionID(iter.Next())
+			k := MustGetPermissionKey(id)
+			if k != "" {
+				keys = append(keys, k)
+			}
+		}
+	}
+	return keys
+}
+
 func (p *UserAssignedPermission) NeedRefresh() bool {
 	return NeedRefreshPermission(p.PermissionVersion)
 }