097d1af837
Some checks are pending
Docker Test / test (push) Waiting to run
Created issue #5 to track the implementation of role-based access control for API endpoints as per the documented roles and permissions.
1.2 KiB
1.2 KiB
Issue #5: Implement Role-Based Access Control (RBAC) for API Endpoints
Description
Implement role-based access control (RBAC) for all API endpoints to ensure that users can only perform actions permitted by their role (user, moderator, admin).
This includes:
- Middleware to check user roles for each endpoint
- Integration with existing JWT authentication
- Audit logging for sensitive actions
- Unit tests for role checks
Acceptance Criteria
- JWT middleware extracts user role from token claims
- Middleware
requireRole([...])is implemented and used for all protected endpoints - Role checks are enforced for all API endpoints (auth, requests, offers, deals, contacts, disputes)
- Audit logging is implemented for sensitive actions (e.g., user suspension, dispute decisions)
- Unit tests cover role-based access control logic
- Documentation updated with RBAC implementation details
Tasks
- Implement
requireRolemiddleware inbackend/middleware/role.middleware.js - Integrate role checking into existing API routes
- Add audit logging for sensitive actions
- Write unit tests for role checks
- Update documentation (
docs/roles-and-permissions.md)