# Issue #5: Implement Role-Based Access Control (RBAC) for API Endpoints

## Description

Implement role-based access control (RBAC) for all API endpoints to ensure that users can only perform actions permitted by their role (`user`, `moderator`, `admin`).

This includes:
- Middleware to check user roles for each endpoint
- Integration with existing JWT authentication
- Audit logging for sensitive actions
- Unit tests for role checks

## Acceptance Criteria

- [ ] All API endpoints properly validate user roles
- [ ] JWT middleware extracts and validates the `role` claim
- [ ] Role-checking middleware (`requireRole`) is implemented and used
- [ ] Sensitive actions are logged with audit events
- [ ] Unit tests cover role-based access for all endpoints
- [ ] Documentation updated to reflect new RBAC implementation

## Tasks

1. Implement JWT middleware to extract `role` claim
2. Create `requireRole` middleware
3. Apply role checks to existing API endpoints
4. Add audit logging for sensitive actions
5. Write unit tests
6. Update documentation

## Notes

This is a follow-up to the roles and permissions documentation in `docs/roles-and-permissions.md`.