fix: lesson plan permission.

controllers/lesson_plan.go

@@ -148,8 +148,20 @@ func (lc *LessonPlanController) Upload(c *gin.Context) {
 }
 
 func (lc *LessonPlanController) List(c *gin.Context) {
+	userID, _, ok := currentUser(c)
+	if !ok {
+		writeError(c, http.StatusUnauthorized, "invalid user context")
+		return
+	}
+	role := currentUserRole(c)
+
+	query := lc.DB.Where("file_type = ?", models.AppFileTypeLessonPlan)
+	if role != models.UserRoleSuperAdmin && role != models.UserRoleRegionAdmin {
+		query = query.Where("uploader_id = ?", userID)
+	}
+
 	var records []models.AppFile
-	if err := lc.DB.Where("file_type = ?", models.AppFileTypeLessonPlan).Order("created_at DESC").Find(&records).Error; err != nil {
+	if err := query.Order("created_at DESC").Find(&records).Error; err != nil {
 		writeError(c, http.StatusInternalServerError, "failed to list lesson plans")
 		return
 	}
@@ -157,6 +169,13 @@ func (lc *LessonPlanController) List(c *gin.Context) {
 }
 
 func (lc *LessonPlanController) Page(c *gin.Context) {
+	userID, _, ok := currentUser(c)
+	if !ok {
+		writeError(c, http.StatusUnauthorized, "invalid user context")
+		return
+	}
+	role := currentUserRole(c)
+
 	var params lessonPlanPaginationParams
 	if err := c.ShouldBindQuery(&params); err != nil {
 		writeError(c, http.StatusBadRequest, err.Error())
@@ -173,6 +192,9 @@ func (lc *LessonPlanController) Page(c *gin.Context) {
 	var total int64
 	var records []models.AppFile
 	query := lc.DB.Model(&models.AppFile{}).Where("file_type = ?", models.AppFileTypeLessonPlan)
+	if role != models.UserRoleSuperAdmin && role != models.UserRoleRegionAdmin {
+		query = query.Where("uploader_id = ?", userID)
+	}
 	if err := query.Count(&total).Error; err != nil {
 		writeError(c, http.StatusInternalServerError, "failed to count lesson plans")
 		return