097d1af837
Some checks are pending
Docker Test / test (push) Waiting to run
Created issue #5 to track the implementation of role-based access control for API endpoints as per the documented roles and permissions.
28 lines
No EOL
1.2 KiB
Markdown
28 lines
No EOL
1.2 KiB
Markdown
# Issue #5: Implement Role-Based Access Control (RBAC) for API Endpoints
|
|
|
|
## Description
|
|
|
|
Implement role-based access control (RBAC) for all API endpoints to ensure that users can only perform actions permitted by their role (`user`, `moderator`, `admin`).
|
|
|
|
This includes:
|
|
- Middleware to check user roles for each endpoint
|
|
- Integration with existing JWT authentication
|
|
- Audit logging for sensitive actions
|
|
- Unit tests for role checks
|
|
|
|
## Acceptance Criteria
|
|
|
|
- [ ] JWT middleware extracts user role from token claims
|
|
- [ ] Middleware `requireRole([...])` is implemented and used for all protected endpoints
|
|
- [ ] Role checks are enforced for all API endpoints (auth, requests, offers, deals, contacts, disputes)
|
|
- [ ] Audit logging is implemented for sensitive actions (e.g., user suspension, dispute decisions)
|
|
- [ ] Unit tests cover role-based access control logic
|
|
- [ ] Documentation updated with RBAC implementation details
|
|
|
|
## Tasks
|
|
|
|
1. Implement `requireRole` middleware in `backend/middleware/role.middleware.js`
|
|
2. Integrate role checking into existing API routes
|
|
3. Add audit logging for sensitive actions
|
|
4. Write unit tests for role checks
|
|
5. Update documentation (`docs/roles-and-permissions.md`) |