apply security audit

backend/src/routes/events.routes.ts

@@ -1,13 +1,10 @@
 import { Router } from 'express';
 import eventsController from '../controllers/events.controller';
 import { authenticate, optionalAuth } from '../middleware/auth.middleware';
-import { requireGroups } from '../middleware/rbac.middleware';
+import { requirePermission } from '../middleware/rbac.middleware';
 
 const router = Router();
 
-/** Groups that may create, update, or cancel events */
-const WRITE_GROUPS = ['dashboard_admin', 'dashboard_moderator'];
-
 // ---------------------------------------------------------------------------
 // Categories
 // ---------------------------------------------------------------------------
@@ -20,34 +17,34 @@ router.get('/kategorien', authenticate, eventsController.listKategorien.bind(eve
 
 /**
  * POST /api/events/kategorien
- * Create a new category. Requires admin or moderator.
+ * Create a new category. Requires gruppenfuehrer+.
  */
 router.post(
   '/kategorien',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:categories'),
   eventsController.createKategorie.bind(eventsController)
 );
 
 /**
  * PATCH /api/events/kategorien/:id
- * Update an existing category. Requires admin or moderator.
+ * Update an existing category. Requires gruppenfuehrer+.
  */
 router.patch(
   '/kategorien/:id',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:categories'),
   eventsController.updateKategorie.bind(eventsController)
 );
 
 /**
  * DELETE /api/events/kategorien/:id
- * Delete a category (only if no events reference it). Requires admin or moderator.
+ * Delete a category (only if no events reference it). Requires gruppenfuehrer+.
  */
 router.delete(
   '/kategorien/:id',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:categories'),
   eventsController.deleteKategorie.bind(eventsController)
 );
 
@@ -106,23 +103,23 @@ router.get(
 
 /**
  * POST /api/events/import
- * Bulk import events from CSV data. Requires admin or moderator.
+ * Bulk import events from CSV data. Requires gruppenfuehrer+.
  */
 router.post(
   '/import',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:write'),
   eventsController.importEvents.bind(eventsController)
 );
 
 /**
  * POST /api/events
- * Create a new event. Requires admin or moderator.
+ * Create a new event. Requires gruppenfuehrer+.
  */
 router.post(
   '/',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:write'),
   eventsController.createEvent.bind(eventsController)
 );
 
@@ -134,34 +131,34 @@ router.get('/:id', authenticate, eventsController.getById.bind(eventsController)
 
 /**
  * PATCH /api/events/:id
- * Update an existing event. Requires admin or moderator.
+ * Update an existing event. Requires gruppenfuehrer+.
  */
 router.patch(
   '/:id',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:write'),
   eventsController.updateEvent.bind(eventsController)
 );
 
 /**
  * DELETE /api/events/:id
- * Soft-cancel an event (sets abgesagt=TRUE + reason). Requires admin or moderator.
+ * Soft-cancel an event (sets abgesagt=TRUE + reason). Requires gruppenfuehrer+.
  */
 router.delete(
   '/:id',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:write'),
   eventsController.cancelEvent.bind(eventsController)
 );
 
 /**
  * POST /api/events/:id/delete
- * Hard-delete an event permanently. Requires admin or moderator.
+ * Hard-delete an event permanently. Requires gruppenfuehrer+.
  */
 router.post(
   '/:id/delete',
   authenticate,
-  requireGroups(WRITE_GROUPS),
+  requirePermission('events:write'),
   eventsController.deleteEvent.bind(eventsController)
 );