Update frontend login page.jsx และ backend

backend/src/middleware/requirePerm.js

@@ -1,25 +1,37 @@
-// src/middleware/requirePerm.js
-import { canPerform } from '../utils/rbac.js';
+// FILE: src/middleware/requirePerm.js
+// 03.2 4) เพิ่ม middleware requirePerm (ใหม่)
+// นำ middleware นี้ไปใส่ หลัง loadPrincipal เสมอ เช่น app.use('/api', authJwt(), loadPrincipalMw(), requirePerm('correspondence.create', {scope:'org', getOrgId: req=>...}), routes)
+// หรือใส่ใน route เดี่ยวๆ ก็ได้ เช่น router.post('/', requirePerm('correspondence.create', {scope:'org', getOrgId: req=>...}), (req,res)=>{...})
+// Permission requirement middleware with scope support
+// - Uses canPerform() utility from rbac.js
+// - Supports global, org, and project scopes
+// - Requires req.principal to be populated (e.g. via loadPrincipal middleware)
+
+import { canPerform } from "../utils/rbac.js";
 
 /**
  * requirePerm('correspondence.create', { scope: 'org', getOrgId: req => ... })
  * scope: 'global' | 'org' | 'project'
  */
-export function requirePerm(permCode, { scope = 'global', getOrgId = null, getProjectId = null } = {}) {
+export function requirePerm(
+  permCode,
+  { scope = "global", getOrgId = null, getProjectId = null } = {}
+) {
   return async (req, res, next) => {
     try {
       const orgId = getOrgId ? await getOrgId(req) : null;
       const projectId = getProjectId ? await getProjectId(req) : null;
 
-      if (canPerform(req.principal, permCode, { scope, orgId, projectId })) return next();
+      if (canPerform(req.principal, permCode, { scope, orgId, projectId }))
+        return next();
 
       return res.status(403).json({
-        error: 'FORBIDDEN',
+        error: "FORBIDDEN",
         message: `Require ${permCode} (${scope}-scoped)`,
       });
     } catch (e) {
-      console.error('requirePerm error', e);
-      res.status(500).json({ error: 'Permission check error' });
+      console.error("requirePerm error", e);
+      res.status(500).json({ error: "Permission check error" });
     }
   };
 }