Role-based access control middleware (ACL-002).
Creates Express middleware that checks req.userRole (injected by the
workspace-aware auth flow in authenticate.js) against a minimum role
level.
Role hierarchy
admin > qa_lead > viewer
requireRole('qa_lead') allows admin and qa_lead but blocks viewer.
requireRole('admin') allows only admin.
Usage
import { requireRole } from "../middleware/requireRole.js";
router.delete("/:id", requireRole("admin"), (req, res) => { … });
router.post("/", requireRole("qa_lead"), (req, res) => { … });
Keeping permissions.json in sync
Every requireRole(...) call site is mirrored in ./permissions.json,
which is the canonical machine-readable RBAC matrix consumed by agents
and reviewers (see QA.md, AGENT.md, REVIEW.md). Whenever you add, remove,
or change a role gate, update the corresponding entry in permissions.json.
Audit drift with: grep -rn 'requireRole(' backend/src/routes/.
Parameters:
| Name | Type | Description |
|---|---|---|
minimumRole |
string | — The minimum role required ('admin' | 'qa_lead' | 'viewer'). |
- Source:
Returns:
Express middleware (req, res, next).
- Type
- function
Members
(static, constant) VALID_ROLES
Valid role names for input validation.
- Source:
(inner, constant) ROLE_WEIGHT
Numeric weight per role — higher = more privileged.
- Source:
Methods
(static) requireRole(minimumRole) → {function}
Create an Express middleware that enforces a minimum role.
Expects req.userRole to be set by the auth middleware. If missing,
returns 401. If the role is below the minimum, returns 403.
Parameters:
| Name | Type | Description |
|---|---|---|
minimumRole |
string | — 'admin' | 'qa_lead' | 'viewer' |
- Source:
Returns:
Express middleware
- Type
- function