rights system

backend/src/routes/booking.routes.ts

@@ -19,14 +19,14 @@ router.get('/calendar-token', authenticate, bookingController.getCalendarToken.b
 // ── Write operations ──────────────────────────────────────────────────────────
 
 router.post('/',     authenticate, bookingController.create.bind(bookingController));
-router.patch('/:id', authenticate, requirePermission('bookings:write'), bookingController.update.bind(bookingController));
+router.patch('/:id', authenticate, requirePermission('kalender:edit_bookings'), bookingController.update.bind(bookingController));
 
 // Soft-cancel (sets abgesagt=TRUE) — creator or bookings:write
 router.delete('/:id',       authenticate, bookingController.cancel.bind(bookingController));
 router.patch('/:id/cancel', authenticate, bookingController.cancel.bind(bookingController));
 
 // Hard-delete (admin only)
-router.delete('/:id/force', authenticate, requirePermission('bookings:delete'), bookingController.hardDelete.bind(bookingController));
+router.delete('/:id/force', authenticate, requirePermission('kalender:delete_bookings'), bookingController.hardDelete.bind(bookingController));
 
 // ── Single booking read — after specific routes to avoid path conflicts ───────