feature/apply middleware to check permission