fixed key-based access control for Tantivy backends

src/server.rs

@@ -103,12 +103,40 @@ impl Server {
 
     /// Check if current permissions allow read operations
     pub fn has_read_permission(&self) -> bool {
-        matches!(self.current_permissions, Some(crate::rpc::Permissions::Read) | Some(crate::rpc::Permissions::ReadWrite))
+        // If an explicit permission is set for this connection, honor it.
+        if let Some(perms) = self.current_permissions.as_ref() {
+            return matches!(*perms, crate::rpc::Permissions::Read | crate::rpc::Permissions::ReadWrite);
+        }
+        // Fallback ONLY when no explicit permission context (e.g., JSON-RPC flows without SELECT).
+        match crate::admin_meta::verify_access(
+            &self.option.dir,
+            self.option.backend.clone(),
+            &self.option.admin_secret,
+            self.selected_db,
+            None,
+        ) {
+            Ok(Some(crate::rpc::Permissions::Read)) | Ok(Some(crate::rpc::Permissions::ReadWrite)) => true,
+            _ => false,
+        }
     }
 
     /// Check if current permissions allow write operations
     pub fn has_write_permission(&self) -> bool {
-        matches!(self.current_permissions, Some(crate::rpc::Permissions::ReadWrite))
+        // If an explicit permission is set for this connection, honor it.
+        if let Some(perms) = self.current_permissions.as_ref() {
+            return matches!(*perms, crate::rpc::Permissions::ReadWrite);
+        }
+        // Fallback ONLY when no explicit permission context (e.g., JSON-RPC flows without SELECT).
+        match crate::admin_meta::verify_access(
+            &self.option.dir,
+            self.option.backend.clone(),
+            &self.option.admin_secret,
+            self.selected_db,
+            None,
+        ) {
+            Ok(Some(crate::rpc::Permissions::ReadWrite)) => true,
+            _ => false,
+        }
     }
 
     // ----- BLPOP waiter helpers -----