feat: Add role-based access control middleware and tests

2026-03-17 22:08:53 +00:00 · 2026-03-17 22:08:53 +00:00 · eb45e4474d
commit eb45e4474d
parent 901bcf454c
6 changed files with 58 additions and 165 deletions
--- a/backend/middleware/role.middleware.cjs
+++ b/backend/middleware/role.middleware.cjs
@ -0,0 +1,26 @@
+// Role-based access control middleware
+const requireRole = (requiredRoles) => {
+  return (req, res, next) => {
+    // Check if user is authenticated
+    if (!req.user) {
+      return res.status(401).json({ 
+        error: 'Authentication required' 
+      });
+    }
+
+    // Check if user has the required role
+    const userRole = req.user.role;
+    
+    if (!userRole || !requiredRoles.includes(userRole)) {
+      // User does not have the required role, deny access
+      return res.status(403).json({ 
+        error: 'Insufficient permissions' 
+      });
+    }
+    
+    // User has the required role, allow access
+    next();
+  };
+};
+
+module.exports = { requireRole };
--- a/backend/middleware/role.middleware.js
+++ b/backend/middleware/role.middleware.js
@ -11,16 +11,16 @@ const requireRole = (requiredRoles) => {
    // Check if user has the required role
    const userRole = req.user.role;
    
-    if (requiredRoles.includes(userRole)) {
-      // User has the required role, allow access
-      next();
-    } else {
+    if (!userRole || !requiredRoles.includes(userRole)) {
      // User does not have the required role, deny access
      return res.status(403).json({ 
        error: 'Insufficient permissions' 
      });
    }
+    
+    // User has the required role, allow access
+    next();
  };
 };

-export { requireRole };
+module.exports = { requireRole };