apply security audit

backend/src/routes/booking.routes.ts

@@ -1,10 +1,7 @@
 import { Router } from 'express';
 import bookingController from '../controllers/booking.controller';
 import { authenticate, optionalAuth } from '../middleware/auth.middleware';
-import { requireGroups } from '../middleware/rbac.middleware';
-
-const WRITE_GROUPS = ['dashboard_admin', 'dashboard_fahrmeister', 'dashboard_moderator'];
-const ADMIN_GROUPS = ['dashboard_admin'];
+import { requirePermission } from '../middleware/rbac.middleware';
 
 const router = Router();
 
@@ -22,13 +19,13 @@ router.get('/calendar-token', authenticate, bookingController.getCalendarToken.b
 // ── Write operations ──────────────────────────────────────────────────────────
 
 router.post('/',     authenticate, bookingController.create.bind(bookingController));
-router.patch('/:id', authenticate, requireGroups(WRITE_GROUPS), bookingController.update.bind(bookingController));
+router.patch('/:id', authenticate, requirePermission('bookings:write'), bookingController.update.bind(bookingController));
 
 // Soft-cancel (sets abgesagt=TRUE)
-router.delete('/:id',       authenticate, requireGroups(WRITE_GROUPS), bookingController.cancel.bind(bookingController));
+router.delete('/:id',       authenticate, requirePermission('bookings:write'), bookingController.cancel.bind(bookingController));
 
 // Hard-delete (admin only)
-router.delete('/:id/force', authenticate, requireGroups(ADMIN_GROUPS), bookingController.hardDelete.bind(bookingController));
+router.delete('/:id/force', authenticate, requirePermission('bookings:delete'), bookingController.hardDelete.bind(bookingController));
 
 // ── Single booking read — after specific routes to avoid path conflicts ───────