# Issue #5: Implement Role-Based Access Control (RBAC) for API Endpoints

## Description

Implement role-based access control (RBAC) for all API endpoints to ensure that users can only perform actions permitted by their role (`user`, `moderator`, `admin`).

This includes:
- Middleware to check user roles for each endpoint
- Integration with existing JWT authentication
- Audit logging for sensitive actions
- Unit tests for role checks

## Acceptance Criteria

- [ ] JWT middleware extracts user role from token claims
- [ ] Middleware `requireRole([...])` is implemented and used for all protected endpoints
- [ ] Role checks are enforced for all API endpoints (auth, requests, offers, deals, contacts, disputes)
- [ ] Audit logging is implemented for sensitive actions (e.g., user suspension, dispute decisions)
- [ ] Unit tests cover role-based access control logic
- [ ] Documentation updated with RBAC implementation details

## Tasks

1. Implement `requireRole` middleware in `backend/middleware/role.middleware.js`
2. Integrate role checking into existing API routes
3. Add audit logging for sensitive actions
4. Write unit tests for role checks
5. Update documentation (`docs/roles-and-permissions.md`)