// src/middleware/requirePerm.js
import { canPerform } from '../utils/rbac.js';

/**
 * requirePerm('correspondence.create', { scope: 'org', getOrgId: req => ... })
 * scope: 'global' | 'org' | 'project'
 */
export function requirePerm(permCode, { scope = 'global', getOrgId = null, getProjectId = null } = {}) {
  return async (req, res, next) => {
    try {
      const orgId = getOrgId ? await getOrgId(req) : null;
      const projectId = getProjectId ? await getProjectId(req) : null;

      if (canPerform(req.principal, permCode, { scope, orgId, projectId })) return next();

      return res.status(403).json({
        error: 'FORBIDDEN',
        message: `Require ${permCode} (${scope}-scoped)`,
      });
    } catch (e) {
      console.error('requirePerm error', e);
      res.status(500).json({ error: 'Permission check error' });
    }
  };
}