Fixes #296

Summary

Implemented role-based access control (RBAC) guards for NestJS routes, with @Roles() decorator and RolesGuard. Applied to restrict bounty mutation endpoints to ADMIN users.

Changes

New Files

• backend/src/common/decorators/roles.decorator.ts — @Roles(...roles) metadata decorator
• backend/src/common/guards/roles.guard.ts — RolesGuard that:
  • Reads required roles from handler/class metadata via Reflector
  • Checks user.roles (supports string[] or comma-separated string)
  • Allows access if user has any of the required roles
  • Returns 403 Forbidden with descriptive message on denial
  • Passes through when no roles are required
• backend/src/common/guards/roles.guard.spec.ts — Unit tests (4 cases)

Modified

• backend/src/bounty/bounty.controller.ts — Added RolesGuard + @Roles(ADMIN) to PATCH /bounties/:id

Usage

// Single role
@UseGuards(JwtAuthGuard, RolesGuard)
@Roles(ADMIN)
@Patch(:id)
async update(...) { }

// Multiple roles (user needs at least one)
@Roles(ADMIN, MODERATOR)

Verification

# Run guard tests
cd backend && npm test -- common/guards/roles.guard.spec.ts

# Manual test:
# PATCH /bounties/1 with user.role=USER → 403 Forbidden
# PATCH /bounties/1 with user.role=ADMIN → 200 OK