fix permissions

backend/src/controllers/issue.controller.ts

@@ -10,7 +10,7 @@ class IssueController {
     try {
       const userId = req.user!.id;
       const groups: string[] = (req.user as any).groups || [];
-      const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all');
+      const canViewAll = permissionService.hasPermission(groups, 'issues:view_all');
 
       // Parse filter query params
       const filters: {
@@ -60,7 +60,7 @@ class IssueController {
       }
       const userId = req.user!.id;
       const groups: string[] = (req.user as any).groups || [];
-      const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all');
+      const canViewAll = permissionService.hasPermission(groups, 'issues:view_all');
       if (!canViewAll && issue.erstellt_von !== userId && issue.zugewiesen_an !== userId) {
         res.status(403).json({ success: false, message: 'Kein Zugriff' });
         return;
@@ -227,7 +227,7 @@ class IssueController {
       }
       const userId = req.user!.id;
       const groups: string[] = (req.user as any).groups || [];
-      const canViewAll = groups.includes('dashboard_admin') || permissionService.hasPermission(groups, 'issues:view_all');
+      const canViewAll = permissionService.hasPermission(groups, 'issues:view_all');
       if (!canViewAll && issue.erstellt_von !== userId && issue.zugewiesen_an !== userId) {
         res.status(403).json({ success: false, message: 'Kein Zugriff' });
         return;

backend/src/database/migrations/056_issues_widget_permission.sql

@@ -1,13 +1,15 @@
 -- Migration 056: Add issues:widget permission
--- Gated permission for the Issue Quick Add dashboard widget.
+--
--- Granted to all groups that currently have issues:create.
+-- Adds the widget permission for the Issue Quick Add dashboard widget.
+-- dashboard_admin gets it automatically via the permission cache (loadCache
+-- populates it with every permission in the system).
 
--- 1. Insert the new permission
+-- 1. Insert the new widget permission
 INSERT INTO permissions (id, feature_group_id, label, description, sort_order)
 VALUES ('issues:widget', 'issues', 'Widget', 'Issue-Schnelleingabe auf dem Dashboard', 8)
 ON CONFLICT (id) DO NOTHING;
 
--- 2. Grant to every group that already has issues:create
+-- 2. Grant issues:widget to every group that already has issues:create
 INSERT INTO group_permissions (authentik_group, permission_id)
   SELECT authentik_group, 'issues:widget'
   FROM group_permissions

backend/src/services/permission.service.ts

@@ -87,6 +87,11 @@ class PermissionService {
         }
         newMap.get(row.authentik_group)!.add(row.permission_id);
       }
+
+      // dashboard_admin always holds every permission in the system
+      const allPermsResult = await pool.query('SELECT id FROM permissions');
+      newMap.set('dashboard_admin', new Set(allPermsResult.rows.map((r: any) => r.id)));
+
       this.groupPermissions = newMap;
 
       // Load maintenance flags