fix: close auth, permission, contract and e2e review blockers

internal/api/handler/user_handler.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 
+	apimiddleware "github.com/user-management-system/internal/api/middleware"
 	"github.com/user-management-system/internal/auth"
 	"github.com/user-management-system/internal/domain"
 	"github.com/user-management-system/internal/service"
@@ -187,16 +188,7 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 
 	// Authorization: only self or admin can update user profile
 	currentUserID := c.GetInt64("user_id")
-	isAdmin := false
-	if roles, ok := c.Get("user_roles"); ok {
-		for _, role := range roles.([]*domain.Role) {
-			if role.Code == "admin" {
-				isAdmin = true
-				break
-			}
-		}
-	}
-	if currentUserID != id && !isAdmin {
+	if currentUserID != id && !apimiddleware.IsAdmin(c) {
 		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
 		return
 	}
@@ -289,6 +281,12 @@ func (h *UserHandler) UpdatePassword(c *gin.Context) {
 		return
 	}
 
+	currentUserID := c.GetInt64("user_id")
+	if currentUserID != id && !apimiddleware.IsAdmin(c) {
+		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
+		return
+	}
+
 	if err := h.userService.ChangePassword(c.Request.Context(), id, req.OldPassword, req.NewPassword); err != nil {
 		handleError(c, err)
 		return
@@ -370,16 +368,7 @@ func (h *UserHandler) GetUserRoles(c *gin.Context) {
 
 	// Authorization: only self or admin can view user roles
 	currentUserID := c.GetInt64("user_id")
-	isAdmin := false
-	if roles, ok := c.Get("user_roles"); ok {
-		for _, role := range roles.([]*domain.Role) {
-			if role.Code == "admin" {
-				isAdmin = true
-				break
-			}
-		}
-	}
-	if currentUserID != id && !isAdmin {
+	if currentUserID != id && !apimiddleware.IsAdmin(c) {
 		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
 		return
 	}