From e66291ba29c32fa1597e2c9c33fa3a5215683d9b Mon Sep 17 00:00:00 2001
From: Fahri Gedik <53567152+fahrigedik@users.noreply.github.com>
Date: Wed, 7 Jan 2026 18:08:49 +0300
Subject: [PATCH] Ensure config state is loaded before permission check

Updated PermissionGuard and permissionGuard to wait for ConfigStateService to load granted policies before checking permissions. This prevents permission checks from running before configuration is available.
---
 .../core/src/lib/guards/permission.guard.ts     | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/npm/ng-packs/packages/core/src/lib/guards/permission.guard.ts b/npm/ng-packs/packages/core/src/lib/guards/permission.guard.ts
index 3b77913d2e..41e07f8d1b 100644
--- a/npm/ng-packs/packages/core/src/lib/guards/permission.guard.ts
+++ b/npm/ng-packs/packages/core/src/lib/guards/permission.guard.ts
@@ -8,10 +8,10 @@ import {
 } from '@angular/router';
 import { HttpErrorResponse } from '@angular/common/http';
 import { Observable, of } from 'rxjs';
-import { map, take } from 'rxjs/operators';
+import { filter, map, switchMap, take } from 'rxjs/operators';
 import { AuthService, IAbpGuard } from '../abstracts';
 import { findRoute, getRoutePath } from '../utils/route-utils';
-import { RoutesService, PermissionService, HttpErrorReporterService } from '../services';
+import { RoutesService, PermissionService, HttpErrorReporterService, ConfigStateService } from '../services';
 import { isPlatformServer } from '@angular/common';
 /**
  * @deprecated Use `permissionGuard` *function* instead.
@@ -25,6 +25,7 @@ export class PermissionGuard implements IAbpGuard {
   protected readonly authService = inject(AuthService);
   protected readonly permissionService = inject(PermissionService);
   protected readonly httpErrorReporter = inject(HttpErrorReporterService);
+  protected readonly configStateService = inject(ConfigStateService);
 
   canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Observable<boolean | UrlTree> {
     let { requiredPolicy } = route.data || {};
@@ -38,7 +39,10 @@ export class PermissionGuard implements IAbpGuard {
       return of(true);
     }
 
-    return this.permissionService.getGrantedPolicy$(requiredPolicy).pipe(
+    return this.configStateService.getAll$().pipe(
+      filter(config => !!config?.auth?.grantedPolicies),
+      take(1),
+      switchMap(() => this.permissionService.getGrantedPolicy$(requiredPolicy)),
       take(1),
       map(access => {
         if (access) return true;
@@ -50,7 +54,6 @@ export class PermissionGuard implements IAbpGuard {
         if (this.authService.isAuthenticated) {
           this.httpErrorReporter.reportError({ status: 403 } as HttpErrorResponse);
         }
-
         return false;
       }),
     );
@@ -66,6 +69,7 @@ export const permissionGuard: CanActivateFn = (
   const authService = inject(AuthService);
   const permissionService = inject(PermissionService);
   const httpErrorReporter = inject(HttpErrorReporterService);
+  const configStateService = inject(ConfigStateService);
   const platformId = inject(PLATFORM_ID);
 
   let { requiredPolicy } = route.data || {};
@@ -84,7 +88,10 @@ export const permissionGuard: CanActivateFn = (
     return of(true);
   }
 
-  return permissionService.getGrantedPolicy$(requiredPolicy).pipe(
+  return configStateService.getAll$().pipe(
+    filter(config => !!config?.auth?.grantedPolicies),
+    take(1),
+    switchMap(() => permissionService.getGrantedPolicy$(requiredPolicy)),
     take(1),
     map(access => {
       if (access) return true;