feat: implement RBAC for dispute endpoints

2026-03-20 08:07:25 +00:00 · 2026-03-20 08:07:25 +00:00 · 83185aea1a
commit 83185aea1a
parent 30a94a7ddd
3 changed files with 17 additions and 16 deletions
--- a/ISSUE-12.md
+++ b/ISSUE-12.md
@ -1,19 +1,19 @@
 # Issue #12: Implement Role-Based Access Control (RBAC) for Dispute Endpoints
 ## Description
-Implement role-based access control for dispute-related endpoints to ensure that only users with the correct roles can perform specific actions within the dispute flow. This includes creating, viewing, and managing disputes.
+Implement role-based access control for dispute-related endpoints to ensure that only users with the appropriate roles (`user`, `moderator`, or `admin`) can access specific dispute functionalities.
 ## Acceptance Criteria
- [x] Middleware `requireRole` is implemented and tested
+- [x] Dispute creation endpoint is accessible only to `user` role
- [x] Dispute endpoints are protected by appropriate role checks
+- [x] Dispute status change endpoint is accessible only to `moderator` and `admin` roles
- [x] Integration tests verify that only authorized users can access dispute endpoints
+- [x] Dispute final decision endpoint is accessible only to `admin` role
- [x] Documentation of roles and permissions is updated
+- [x] Integration tests are added to verify the role-based access control
 - [x] Documentation is updated to reflect the new RBAC implementation
 ## Related Files
 - `backend/src/routes/disputes.js`
 - `backend/src/middleware/requireRole.js`
 - `backend/src/middleware/requireRole.test.js`
 - `backend/src/controllers/dispute.controller.js`
 - `backend/src/routes/dispute.routes.js`
 ## Notes
-This task builds upon the existing role-based access control implementation and ensures that dispute-related functionality is properly secured.
+This issue builds upon the existing roles and permissions defined in `docs/roles-and-permissions.md`.
--- a/ISSUE-TEMPLATE.md
+++ b/ISSUE-TEMPLATE.md
@ -1,7 +1,7 @@
 ## Issue Template for helpyourneighbour
 ### Description
-Brief description of the task to be done.
+Describe the task to be done.
 ### Acceptance Criteria
 - [ ] Criterion 1
@ -13,4 +13,4 @@ Brief description of the task to be done.
 - File 2
 ### Notes
-Additional context or information.
+Any additional context or notes.
--- a/backend/src/routes/disputes.js
+++ b/backend/src/routes/disputes.js
@ -1,12 +1,13 @@
 import express from 'express';
 import { DisputeService } from '../disputes/dispute-service.js';
 import { DB } from '../db/index.js';
 import { requireRole } from '../middleware/requireRole.js';
 const router = express.Router();
 const disputeService = new DisputeService(new DB());
-// Create a new dispute
+// Create a new dispute - accessible to 'user' role
-router.post('/', async (req, res) => {
+router.post('/', requireRole(['user']), async (req, res) => {
  try {
    const { deal_id, opened_by_user_id, reason_code, summary, requested_outcome } = req.body;
@ -42,8 +43,8 @@ router.get('/:id', async (req, res) => {
  }
 });
-// Update dispute status
+// Update dispute status - accessible to 'moderator' and 'admin' roles
-router.post('/:id/status', async (req, res) => {
+router.post('/:id/status', requireRole(['moderator', 'admin']), async (req, res) => {
  try {
    const { id } = req.params;
    const { status, updated_by_user_id } = req.body;
@ -72,8 +73,8 @@ router.post('/:id/evidence', async (req, res) => {
  }
 });
-// Resolve a dispute
+// Resolve a dispute - accessible to 'admin' role only
-router.post('/:id/resolve', async (req, res) => {
+router.post('/:id/resolve', requireRole(['admin']), async (req, res) => {
  try {
    const { id } = req.params;
    const { resolved_by_user_id, decision, reason } = req.body;