# Issue #124: Implement Role-Based Access Control (RBAC) for API Endpoints

## Description

Implement role-based access control (RBAC) for the API endpoints to ensure that users can only perform actions allowed by their role (`user`, `moderator`, `admin`). This includes:

- Middleware to check user roles on protected routes
- Integration with JWT claims
- Audit logging for sensitive actions
- Documentation of the RBAC model

## Acceptance Criteria

- [ ] JWT middleware extracts role from token
- [ ] `requireRole` middleware implemented and tested
- [ ] All existing API endpoints have appropriate role checks
- [ ] Sensitive actions are logged with audit events
- [ ] Documentation updated to reflect RBAC implementation
- [ ] Tests added for role-based access

## Tasks

1. Implement `requireRole` middleware in `backend/middleware/role.middleware.js`
2. Add role checks to existing API routes
3. Integrate role checking into JWT authentication flow
4. Implement audit logging for sensitive actions
5. Update documentation (`docs/roles-and-permissions.md`)
6. Write tests for RBAC functionality

## Notes

This is a follow-up to the existing roles and permissions documentation in `docs/roles-and-permissions.md`. The implementation should align with the defined roles and permissions matrix.