When checking that permissions can be added for user (operating user), mod-permissions checks X-Okapi-Permissions header in the assumption this has all modulePermissions for the request.
It does not include them.. only the permission for the call itself. Fix this by looking at the
token instead which includes JSON payload property extra_permissions that includes all modulePermissions.
This can also be viewed as an Okapi error, although changing behavior should be done with care. So for now, changing mod-permissions to use existing infrastructure.