From 21db2a638bbc02cb83d19c646aea9a4ab19f628e Mon Sep 17 00:00:00 2001
From: Nick Zeng <Nick.Zeng@wpic.co>
Date: Mon, 9 Mar 2026 14:12:05 +0800
Subject: [PATCH] update user controller

---
 backend/app/Controller/api/v1/UserController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/backend/app/Controller/api/v1/UserController.php b/backend/app/Controller/api/v1/UserController.php
index d0091a1..51cf9f4 100644
--- a/backend/app/Controller/api/v1/UserController.php
+++ b/backend/app/Controller/api/v1/UserController.php
@@ -6,6 +6,7 @@ namespace App\Controller\Api\V1;
 
 use App\Controller\AbstractController;
 use App\Middleware\AuthMiddleware;
+use App\Middleware\PermissionMiddleware;
 use App\Model\User;
 use Hyperf\HttpServer\Annotation\Controller;
 use Hyperf\HttpServer\Annotation\Middleware;
@@ -54,6 +55,7 @@ class UserController extends AbstractController
     )]
     #[RequestMapping(path: "", methods: "GET")]
     #[Middleware(AuthMiddleware::class)]
+    #[Middleware(PermissionMiddleware::class)]
     public function index(): array
     {
         $page = max(1, (int) $this->request->input('page', 1));
@@ -135,6 +137,7 @@ class UserController extends AbstractController
     )]
     #[RequestMapping(path: "", methods: "POST")]
     #[Middleware(AuthMiddleware::class)]
+    #[Middleware(PermissionMiddleware::class)]
     public function store(): \Psr\Http\Message\ResponseInterface|array
     {
         $username = $this->request->input('username');
@@ -263,6 +266,7 @@ class UserController extends AbstractController
     )]
     #[RequestMapping(path: "{id}", methods: "GET")]
     #[Middleware(AuthMiddleware::class)]
+    #[Middleware(PermissionMiddleware::class)]
     public function show(int $id): \Psr\Http\Message\ResponseInterface|array
     {
         $user = User::query()->find($id);
@@ -320,6 +324,7 @@ class UserController extends AbstractController
     )]
     #[RequestMapping(path: "{id}", methods: "PUT")]
     #[Middleware(AuthMiddleware::class)]
+    #[Middleware(PermissionMiddleware::class)]
     public function update(int $id): \Psr\Http\Message\ResponseInterface|array
     {
         $user = User::query()->find($id);
@@ -472,6 +477,7 @@ class UserController extends AbstractController
     )]
     #[RequestMapping(path: "{id}/status", methods: "PATCH")]
     #[Middleware(AuthMiddleware::class)]
+    #[Middleware(PermissionMiddleware::class)]
     public function updateStatus(int $id): \Psr\Http\Message\ResponseInterface|array
     {
         $user = User::query()->find($id);