From 30bd7f02143af28ff2a20879ed2d6a10e91ceec1 Mon Sep 17 00:00:00 2001
From: BibaBot Jarvis <jarvis@biba.bot>
Date: Mon, 16 Mar 2026 03:06:38 +0000
Subject: [PATCH] feat: Implement role-based access control middleware and
 update documentation

---
 ISSUE-123.md                          | 18 ++++++++++++++++++
 ISSUE_TEMPLATE.md                     | 25 +++++++++++++++++++++++++
 backend/middleware/role.middleware.js | 20 ++++++++++++++++++++
 docs/roles-and-permissions.md         |  4 ++--
 4 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 ISSUE-123.md
 create mode 100644 ISSUE_TEMPLATE.md
 create mode 100644 backend/middleware/role.middleware.js

diff --git a/ISSUE-123.md b/ISSUE-123.md
new file mode 100644
index 0000000..5656911
--- /dev/null
+++ b/ISSUE-123.md
@@ -0,0 +1,18 @@
+# Issue #123: Implement Role-Based Access Control (RBAC) for API Endpoints
+
+## Description
+
+Implement role-based access control (RBAC) for the API endpoints to ensure that users can only access resources and perform actions according to their assigned roles (`user`, `moderator`, `admin`).
+
+This task involves:
+1. Creating middleware to check user roles
+2. Applying role checks to existing API endpoints
+3. Ensuring audit logging for sensitive operations
+
+## Acceptance Criteria
+
+- [ ] JWT tokens include a `role` claim
+- [ ] Middleware `requireRole([...])` is implemented and functional
+- [ ] All existing API endpoints are updated with appropriate role requirements
+- [ ] Audit events are logged for sensitive actions
+- [ ] Documentation of the RBAC implementation is updated
\ No newline at end of file
diff --git a/ISSUE_TEMPLATE.md b/ISSUE_TEMPLATE.md
new file mode 100644
index 0000000..8c7237f
--- /dev/null
+++ b/ISSUE_TEMPLATE.md
@@ -0,0 +1,25 @@
+## Beschreibung
+
+Erstelle eine neue Issue, die das Rollen- und Rechtekonzept für das Projekt `helpyourneighbour` dokumentiert und implementiert.
+
+## Aufgaben
+
+- [ ] Dokumentation des Rollen- und Rechtekonzepts in `docs/roles-and-permissions.md`
+- [ ] Implementierung der Middleware zur Prüfung der Benutzerrolle (`backend/middleware/requireRole.js`)
+- [ ] Implementierung der Middleware zur Protokollierung sensibler Aktionen (`backend/middleware/auditLogger.js`)
+- [ ] Integration der Middleware in die Auth-Routen (`backend/routes/auth.js`)
+- [ ] Test der Funktionalität
+
+## Akzeptanzkriterien
+
+- Die Dokumentation des Rollen- und Rechtekonzepts ist vollständig
+- Die Middleware zur Prüfung der Benutzerrolle funktioniert korrekt
+- Die Middleware zur Protokollierung sensibler Aktionen funktioniert korrekt
+- Die Auth-Routen verwenden die neuen Middlewares
+- Alle Tests bestehen
+
+## Weitere Informationen
+
+- Die Implementierung basiert auf JWTs mit `role` Claim
+- Sensible Aktionen werden protokolliert
+- Es gibt drei Rollen: `user`, `moderator`, `admin`
\ No newline at end of file
diff --git a/backend/middleware/role.middleware.js b/backend/middleware/role.middleware.js
new file mode 100644
index 0000000..1aad494
--- /dev/null
+++ b/backend/middleware/role.middleware.js
@@ -0,0 +1,20 @@
+/**
+ * Middleware to check if the user has the required role(s)
+ * @param {string[]} allowedRoles - Array of roles allowed to access the endpoint
+ * @returns {function} Express middleware function
+ */
+export const requireRole = (allowedRoles) => {
+  return (req, res, next) => {
+    const userRole = req.user?.role;
+    
+    if (!userRole) {
+      return res.status(401).json({ error: 'Unauthorized: Missing role claim' });
+    }
+    
+    if (!allowedRoles.includes(userRole)) {
+      return res.status(403).json({ error: 'Forbidden: Insufficient permissions' });
+    }
+    
+    next();
+  };
+};
\ No newline at end of file
diff --git a/docs/roles-and-permissions.md b/docs/roles-and-permissions.md
index fd25e3c..4c470ef 100644
--- a/docs/roles-and-permissions.md
+++ b/docs/roles-and-permissions.md
@@ -53,7 +53,7 @@
 ## Technische Durchsetzung
 
 - JWT enthaelt `role` Claim (`user|moderator|admin`)
-- Serverseitige Middleware `requireRole([...])` fuer Endpunkte
+- Serverseitige Middleware `requireRole([...])` fuer Endpunkte (implementiert in `backend/middleware/role.middleware.js`)
 - Sensible Aktionen schreiben Audit-Eintrag mit:
   - actorUserId
   - action
@@ -72,4 +72,4 @@
 - Rollenmodell im Repo dokumentiert
 - Rollen-Claims in API-Security-Konzept referenziert
 - Role-Checks fuer neue Endpunkte verpflichtend
-- Audit-Events fuer Admin/Moderation spezifiziert
+- Audit-Events fuer Admin/Moderation spezifiziert
\ No newline at end of file