From 507b2772d36ca1ce50b7df061b41ebb093e1fb76 Mon Sep 17 00:00:00 2001
From: BibaBot Jarvis <jarvis@biba.bot>
Date: Mon, 16 Mar 2026 10:06:38 +0000
Subject: [PATCH] feat: add issue #124 for RBAC implementation

---
 ISSUE-124.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 ISSUE-124.md

diff --git a/ISSUE-124.md b/ISSUE-124.md
new file mode 100644
index 0000000..bf9f349
--- /dev/null
+++ b/ISSUE-124.md
@@ -0,0 +1,32 @@
+# Issue #124: Implement Role-Based Access Control (RBAC) for API Endpoints
+
+## Description
+
+Implement role-based access control (RBAC) for the API endpoints to ensure that users can only perform actions allowed by their role (`user`, `moderator`, `admin`). This includes:
+
+- Middleware to check user roles on protected routes
+- Integration with JWT claims
+- Audit logging for sensitive actions
+- Documentation of the RBAC model
+
+## Acceptance Criteria
+
+- [ ] JWT middleware extracts role from token
+- [ ] `requireRole` middleware implemented and tested
+- [ ] All existing API endpoints have appropriate role checks
+- [ ] Sensitive actions are logged with audit events
+- [ ] Documentation updated to reflect RBAC implementation
+- [ ] Tests added for role-based access
+
+## Tasks
+
+1. Implement `requireRole` middleware in `backend/middleware/role.middleware.js`
+2. Add role checks to existing API routes
+3. Integrate role checking into JWT authentication flow
+4. Implement audit logging for sensitive actions
+5. Update documentation (`docs/roles-and-permissions.md`)
+6. Write tests for RBAC functionality
+
+## Notes
+
+This is a follow-up to the existing roles and permissions documentation in `docs/roles-and-permissions.md`. The implementation should align with the defined roles and permissions matrix.
\ No newline at end of file