feat: create issue #5 for RBAC implementation

Created issue #5 to track the implementation of role-based access control for API endpoints as per the documented roles and permissions.
2026-03-16 08:06:33 +00:00 · 2026-03-16 08:06:33 +00:00 · 097d1af837
commit 097d1af837
parent 3efc1e493f
1 changed files with 11 additions and 16 deletions
--- a/issues/5.md
+++ b/issues/5.md
@ -12,22 +12,17 @@ This includes:
 ## Acceptance Criteria
- [ ] All API endpoints properly validate user roles
+- [ ] JWT middleware extracts user role from token claims
- [ ] JWT middleware extracts and validates the `role` claim
+- [ ] Middleware `requireRole([...])` is implemented and used for all protected endpoints
- [ ] Role-checking middleware (`requireRole`) is implemented and used
+- [ ] Role checks are enforced for all API endpoints (auth, requests, offers, deals, contacts, disputes)
- [ ] Sensitive actions are logged with audit events
+- [ ] Audit logging is implemented for sensitive actions (e.g., user suspension, dispute decisions)
- [ ] Unit tests cover role-based access for all endpoints
+- [ ] Unit tests cover role-based access control logic
- [ ] Documentation updated to reflect new RBAC implementation
+- [ ] Documentation updated with RBAC implementation details
 ## Tasks
-1. Implement JWT middleware to extract `role` claim
+1. Implement `requireRole` middleware in `backend/middleware/role.middleware.js`
-2. Create `requireRole` middleware
+2. Integrate role checking into existing API routes
-3. Apply role checks to existing API endpoints
+3. Add audit logging for sensitive actions
-4. Add audit logging for sensitive actions
+4. Write unit tests for role checks
-5. Write unit tests
+5. Update documentation (`docs/roles-and-permissions.md`)
 6. Update documentation
 ## Notes
 This is a follow-up to the roles and permissions documentation in `docs/roles-and-permissions.md`.