full stack second commit

go_cloud/internal/middleware/middleware.go

@@ -7,6 +7,7 @@ import (
 
 	"go.b0esche.cloud/backend/internal/audit"
 	"go.b0esche.cloud/backend/internal/database"
+	"go.b0esche.cloud/backend/internal/errors"
 	"go.b0esche.cloud/backend/internal/org"
 	"go.b0esche.cloud/backend/internal/permission"
 	"go.b0esche.cloud/backend/pkg/jwt"
@@ -73,7 +74,7 @@ func Org(db *database.DB, auditLogger *audit.Logger) func(http.Handler) http.Han
 			}
 			orgID, err := uuid.Parse(orgIDStr)
 			if err != nil {
-				http.Error(w, "Invalid org ID", http.StatusBadRequest)
+				errors.WriteError(w, errors.CodeInvalidArgument, "Invalid org ID", http.StatusBadRequest)
 				return
 			}
 
@@ -85,7 +86,21 @@ func Org(db *database.DB, auditLogger *audit.Logger) func(http.Handler) http.Han
 					Success:  false,
 					Metadata: map[string]interface{}{"org_id": orgID, "error": err.Error()},
 				})
-				http.Error(w, "Forbidden", http.StatusForbidden)
+				errors.LogError(r, err, "Org access denied")
+				errors.WriteError(w, errors.CodePermissionDenied, "Forbidden", http.StatusForbidden)
+				return
+			}
+
+			_, err = org.CheckMembership(r.Context(), db, userID, orgID)
+			if err != nil {
+				auditLogger.Log(r.Context(), audit.Entry{
+					UserID:   &userID,
+					Action:   "org_access",
+					Success:  false,
+					Metadata: map[string]interface{}{"org_id": orgID, "error": err.Error()},
+				})
+				errors.LogError(r, err, "Org access denied")
+				errors.WriteError(w, errors.CodePermissionDenied, "Forbidden", http.StatusForbidden)
 				return
 			}
 
@@ -113,7 +128,8 @@ func Permission(db *database.DB, auditLogger *audit.Logger, perm permission.Perm
 					Success:  false,
 					Metadata: map[string]interface{}{"permission": perm},
 				})
-				http.Error(w, "Forbidden", http.StatusForbidden)
+				errors.LogError(r, err, "Permission denied")
+				errors.WriteError(w, errors.CodePermissionDenied, "Forbidden", http.StatusForbidden)
 				return
 			}