apply security audit

backend/src/middleware/rbac.middleware.ts

@@ -48,6 +48,19 @@ const PERMISSION_ROLE_MIN: Record<string, AppRole> = {
   'admin:access': 'admin',
   'audit:read':   'admin',
   'audit:export': 'admin',
+  'members:read': 'mitglied',
+  'members:write': 'kommandant',
+  'vehicles:write': 'kommandant',
+  'vehicles:status': 'gruppenfuehrer',
+  'vehicles:delete': 'admin',
+  'equipment:write': 'gruppenfuehrer',
+  'equipment:delete': 'admin',
+  'events:write': 'gruppenfuehrer',
+  'events:categories': 'gruppenfuehrer',
+  'atemschutz:write': 'gruppenfuehrer',
+  'atemschutz:delete': 'kommandant',
+  'bookings:write': 'gruppenfuehrer',
+  'bookings:delete': 'admin',
 };
 
 function hasPermission(role: AppRole, permission: string): boolean {
@@ -103,7 +116,9 @@ export function requirePermission(permission: string) {
       return;
     }
 
-    const role = await getUserRole(req.user.id);
+    const role = (req.user as any).role
+      ? (req.user as any).role as AppRole
+      : await getUserRole(req.user.id);
 
     // Attach role to request for downstream use (e.g., bericht_text redaction)
     (req as Request & { userRole?: AppRole }).userRole = role;
@@ -149,7 +164,9 @@ export function requireGroups(requiredGroups: string[]) {
       return;
     }
 
-    const userGroups: string[] = (req.user as any).groups ?? [];
+    logger.warn('DEPRECATED: requireGroups() — migrate to requirePermission()', { requiredGroups });
+
+    const userGroups: string[] = req.user?.groups ?? [];
     const hasAccess = requiredGroups.some(g => userGroups.includes(g));
 
     if (!hasAccess) {