Skip to content

Add Role-Based Access Control (RBAC) for Admin and Regular Users Team 153#86

Merged
krishnapaljadeja merged 3 commits intogdg-charusat:mainfrom
Nency02:feat/rbac-admin-roles
Mar 1, 2026
Merged

Add Role-Based Access Control (RBAC) for Admin and Regular Users Team 153#86
krishnapaljadeja merged 3 commits intogdg-charusat:mainfrom
Nency02:feat/rbac-admin-roles

Conversation

@Nency02
Copy link
Copy Markdown
Contributor

@Nency02 Nency02 commented Feb 28, 2026

Team Number : Team 153

Description

Implements Role-Based Access Control (RBAC) for the backend. A Role enum (USER, ADMIN) is added to the Prisma schema and User model. New middleware (requireRole, requireAdmin) enforces role checks on protected routes. A dedicated /api/admin route group exposes admin-only operations (user management, challenge management, platform stats). All existing users default to the USER role — fully backward compatible.

Related Issue

Closes #81

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code refactoring
  • Performance improvement
  • Style/UI improvement

Changes Made

  • prisma/schema.prisma — Added Role enum (USER, ADMIN) and role Role @default(USER) field to the User model
  • prisma/migrations/20260228000000_add_role_rbac/migration.sql — Migration SQL: creates Role enum and adds role column with DEFAULT 'USER'
  • src/middlewares/auth.middleware.js — Added requireRole(...roles) middleware factory and requireAdmin shorthand; authenticate now selects and attaches role to req.user
  • src/controllers/admin.controller.js (new) — Admin-only handlers: getAllUsers, updateUserRole, deleteUser, getAllChallenges, deleteChallenge, getPlatformStats
  • src/routes/admin.routes.js (new) — All routes under /api/admin protected by authenticate + requireAdmin
  • src/app.js — Registered admin routes at /api/admin
  • src/services/auth.service.jsregister, login, getProfile responses now include role
  • prisma/seed.js — Added a dedicated ADMIN user (admin / Admin@1234) created at seed time

Screenshots (if applicable)

N/A — backend API changes only.

API Endpoints Added

Method Endpoint Access
GET /api/admin/stats Admin only
GET /api/admin/users Admin only
PATCH /api/admin/users/:id/role Admin only
DELETE /api/admin/users/:id Admin only
GET /api/admin/challenges Admin only
DELETE /api/admin/challenges/:id Admin only

Error Responses

  • 401 Unauthorized — no token or invalid token
  • 403 Forbidden — authenticated but insufficient role ("Access denied: insufficient permissions")

Testing

  • Tested on Desktop (Chrome/Firefox/Safari)
  • Tested on Mobile (iOS/Android)
  • Tested responsive design (different screen sizes)
  • No console errors or warnings
  • Code builds successfully (npm run build)

Manual test scenarios:

  • Regular USER token hitting /api/admin/* → receives 403
  • ADMIN token hitting /api/admin/* → receives correct data
  • Unauthenticated request → receives 401
  • Existing users without role field → default to USER (backward compatible)

Checklist

  • My code follows the project's code style guidelines
  • I have performed a self-review of my code
  • I have commented my code where necessary
  • My changes generate no new warnings
  • I have tested my changes thoroughly
  • All TypeScript types are properly defined
  • Tailwind CSS classes are used appropriately (no inline styles)
  • Component is responsive across different screen sizes
  • I have read and followed the CONTRIBUTING.md guidelines

Additional Notes

  • Roles are defined as a Prisma enum (not hard-coded strings) for scalability
  • requireRole is a generic factory — new roles can be added to the enum and used instantly without changing the middleware
  • Admin seed credentials: admin / Admin@1234change before production
  • Migration must be applied with npx prisma migrate deploy after configuring DATABASE_URL in .env

@krishnapaljadeja krishnapaljadeja self-requested a review February 28, 2026 05:35
@krishnapaljadeja
Copy link
Copy Markdown
Contributor

krishnapaljadeja commented Feb 28, 2026

✅ PR Validation Passed

Hey @Nency02! Your PR looks good. Here is what we found:

Field Value
Team Number Team 153
Linked Issue Closes #81

A maintainer will review your PR within 24–48 hours. Stay responsive to feedback!

GDG CHARUSAT Open Source Contri Sprintathon

@krishnapaljadeja krishnapaljadeja added the needs-review Valid issue-linked PR awaiting review label Feb 28, 2026
@Nency02 Nency02 changed the title feat: implement Role-Based Access Control (RBAC) for admin and regula… Add Role-Based Access Control (RBAC) for Admin and Regular Users Team 153 Feb 28, 2026
@krishnapaljadeja krishnapaljadeja added needs-review Valid issue-linked PR awaiting review and removed needs-review Valid issue-linked PR awaiting review labels Feb 28, 2026
@krishnapaljadeja
Copy link
Copy Markdown
Contributor

krishnapaljadeja commented Feb 28, 2026

@Nency02 can you please resolve these conflicts and rebase it . thankyou

Nency02 added 3 commits March 1, 2026 09:30
@Nency02
feat: implement Role-Based Access Control (RBAC) for admin and regula…
7fc4d7a 
…r users

- Add Role enum (USER, ADMIN) to Prisma schema with default USER
- Add role field to User model (backward compatible)
- Add requireRole() middleware factory and requireAdmin shorthand
- Update authenticate middleware to include role in req.user
- Create admin.controller.js with: getAllUsers, updateUserRole,
  deleteUser, getAllChallenges, deleteChallenge, getPlatformStats
- Create admin.routes.js with all routes protected by requireAdmin
- Register /api/admin routes in app.js
- Expose role field in auth service register/login/getProfile responses
- Add admin seed user (admin / Admin@1234)
- Add Prisma migration SQL for Role enum and role column

Closes gdg-charusat#81
@Nency02
fix: resolve merge conflicts with main branch
f71d462 
- Restore PULL_REQUEST_TEMPLATE.md to blank template (revert PR-specific content that should not modify the template)
- Remove duplicate prisma version entry in package-lock.json (keep ^5.22.0, remove ^5.8.0)
@Nency02
fix: resolve schema conflict - merge ChallengeInvite model with Role …
1bf409c 
…enum

- Keep Role enum (USER, ADMIN) from feat/rbac-admin-roles
- Keep ChallengeInvite model from main
- Restore challengeInvites relation on User model
- Restore invites relation on Challenge model
@Nency02 Nency02 force-pushed the feat/rbac-admin-roles branch from 59fdc1c to 1bf409c Compare March 1, 2026 04:03
@krishnapaljadeja krishnapaljadeja added needs-review Valid issue-linked PR awaiting review and removed needs-review Valid issue-linked PR awaiting review labels Mar 1, 2026
@krishnapaljadeja krishnapaljadeja merged commit 2228100 into gdg-charusat:main Mar 1, 2026
1 check passed
@krishnapaljadeja
Copy link
Copy Markdown
Contributor

krishnapaljadeja commented Mar 1, 2026

🎉 PR Merged — Points Awarded!

Congratulations @Nency02! Your contribution has been merged.

Field Value
Repo Code_duel_backend
Team Team 153
Contributor @Nency02
Level Level 2 — Intermediate
Points Awarded 20 pts
Source Linked Issue #81

The central leaderboard has been updated. Keep contributing!

GDG CHARUSAT Open Source Contri Sprintathon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krishnapaljadeja krishnapaljadeja Awaiting requested review from krishnapaljadeja

Assignees

No one assigned

Labels

needs-review Valid issue-linked PR awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Role-Based Access Control (RBAC) for Admin and Regular Users Team 153

2 participants

@Nency02 @krishnapaljadeja