Con2 251 add role guards to remaining controllers

[Ermegilius]

This pull request refines role-based access control across the backend by removing the deprecated superVera role and standardizing role checks and endpoint protection. It also enhances security by consistently requiring organization membership for elevated actions and expands public access for certain data retrieval endpoints.

Role Management and Security Enhancements:

• Removed all references to the deprecated superVera role from code, role checks, and endpoint guards, ensuring only valid roles are used for authorization. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]
• Updated all endpoints requiring elevated roles (e.g., tenant_admin, storage_manager, super_admin) to also require users to belong to the same organization (sameOrg: true), improving security and correct scoping of permissions. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] Fb4eb006L107R107, Fb4eb006L125R125, Fb4eb006L138R138, Fb4eb006L91R91)
• Standardized usage of the @Roles decorator for all endpoints, ensuring consistent and explicit role checks across controllers. [1] [2] [3]

Public Endpoint Improvements:

• Marked category and item image retrieval endpoints as public using the @Public() decorator, allowing unauthenticated access for these resources. [1] [2]

Role Controller Updates:

• Added explicit role checks to endpoints in role.controller.ts, ensuring only authorized users can query or modify role assignments and organization-role relationships. [1] [2] [3] [4] [5] [6] [7] [8]

These changes collectively improve security, clarify role boundaries, and make endpoint access more predictable for both developers and users.

[supabase]

This pull request has been ignored for the connected project rcbddkhvysexkvgqpcud because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[stabjana]

Nice work! 😄

There are 2 tiny issues:

backend/src/modules/organization-locations/organization_locations.controller.ts:
everything concerning items a super_admin has only read access - no write (so all the endpoints except the get ones should not include super_admins)

also here:
backend/src/modules/storage-items/storage-items.controller.ts
or is there a reason, because you specifically added it there to the get count?

[Ermegilius]

backend/src/modules/organization-locations/organization_locations.controller.ts:
it's not about items it's org related. Shouldn't super admins be able to edit org locations? My idea was - super admins manage everything user- and org-related.

backend/src/modules/storage-items/storage-items.controller.ts
it's only to get count of all items, nothing more items-related. Otherwise admin dashboard for super admins looks sad with items counter 0 and axios error in console. Just a tiny bit of data to see how big the app is.

[stabjana]

if you point it out like that it makes sense.
and I totally get the point of a sad looking admin panel 😄
I will merge it 🦄