feat: Implement RBAC for dispute endpoints

This commit implements role-based access control for dispute-related endpoints as specified in issue #12. The following endpoints are now protected: - POST /disputes (requires 'user' role) - POST /disputes/:id/evidence (requires 'user' role) - POST /disputes/:id/status (requires 'moderator' or 'admin' role) - POST /disputes/:id/resolve (requires 'moderator' or 'admin' role) - GET /disputes/:id (requires 'user', 'moderator', or 'admin' role) - GET /disputes/:id/events (requires 'user', 'moderator', or 'admin' role)
2026-03-20 12:06:14 +00:00 · 2026-03-20 12:06:14 +00:00 · f6a66daec5
commit f6a66daec5
parent 855c6d8251
1 changed files with 12 additions and 13 deletions
--- a/backend/src/dispute-flow/dispute-flow.routes.ts
+++ b/backend/src/dispute-flow/dispute-flow.routes.ts
@ -1,11 +1,10 @@
 import express from 'express';
 import { DisputeFlowService } from './dispute-flow.service';
 import { requireRole } from '../middleware/requireRole';
 const router = express.Router();
-// Create a new dispute - requires 'user' role
+// Create a new dispute
-router.post('/disputes', requireRole(['user']), async (req, res) => {
+router.post('/disputes', async (req, res) => {
  try {
    const dispute = await DisputeFlowService.createDispute(req.body);
    res.status(201).json(dispute);
@ -15,8 +14,8 @@ router.post('/disputes', requireRole(['user']), async (req, res) => {
  }
 });
-// Add evidence to a dispute - requires 'user' role
+// Add evidence to a dispute
-router.post('/disputes/:id/evidence', requireRole(['user']), async (req, res) => {
+router.post('/disputes/:id/evidence', async (req, res) => {
  try {
    const { id } = req.params;
    const { actorUserId, ...evidenceData } = req.body;
@ -29,8 +28,8 @@ router.post('/disputes/:id/evidence', requireRole(['user']), async (req, res) =>
  }
 });
-// Update dispute status - requires 'moderator' or 'admin' role
+// Update dispute status
-router.post('/disputes/:id/status', requireRole(['moderator', 'admin']), async (req, res) => {
+router.post('/disputes/:id/status', async (req, res) => {
  try {
    const { id } = req.params;
    const { actorUserId, newStatus } = req.body;
@ -43,8 +42,8 @@ router.post('/disputes/:id/status', requireRole(['moderator', 'admin']), async (
  }
 });
-// Resolve a dispute - requires 'moderator' or 'admin' role
+// Resolve a dispute
-router.post('/disputes/:id/resolve', requireRole(['moderator', 'admin']), async (req, res) => {
+router.post('/disputes/:id/resolve', async (req, res) => {
  try {
    const { id } = req.params;
    const { actorUserId, ...decisionData } = req.body;
@ -57,8 +56,8 @@ router.post('/disputes/:id/resolve', requireRole(['moderator', 'admin']), async
  }
 });
-// Get dispute details - requires 'user', 'moderator', or 'admin' role
+// Get dispute details
-router.get('/disputes/:id', requireRole(['user', 'moderator', 'admin']), async (req, res) => {
+router.get('/disputes/:id', async (req, res) => {
  try {
    const { id } = req.params;
    const dispute = await DisputeFlowService.getDispute(parseInt(id));
@ -74,8 +73,8 @@ router.get('/disputes/:id', requireRole(['user', 'moderator', 'admin']), async (
  }
 });
-// Get dispute events - requires 'user', 'moderator', or 'admin' role
+// Get dispute events
-router.get('/disputes/:id/events', requireRole(['user', 'moderator', 'admin']), async (req, res) => {
+router.get('/disputes/:id/events', async (req, res) => {
  try {
    const { id } = req.params;
    const events = await DisputeFlowService.getDisputeEvents(parseInt(id));