featur add fahrmeister

backend/src/routes/vehicle.routes.ts

@@ -1,49 +1,10 @@
 import { Router } from 'express';
 import vehicleController from '../controllers/vehicle.controller';
 import { authenticate } from '../middleware/auth.middleware';
+import { requireGroups } from '../middleware/rbac.middleware';
 
-// ---------------------------------------------------------------------------
-// RBAC guard — requirePermission('vehicles:write')
-// ---------------------------------------------------------------------------
-// Tier 1 will deliver a full RBAC middleware. Until then, this inline guard
-// enforces that only admin/kommandant/gruppenfuehrer roles can mutate vehicle
-// data. The role is expected on req.user once Tier 1 is complete.
-// For now it uses a conservative allowlist that can be updated via Tier 1 RBAC.
-// ---------------------------------------------------------------------------
-import { Request, Response, NextFunction } from 'express';
-
-/** Roles that are allowed to write vehicle data */
-const WRITE_ROLES = new Set(['admin', 'kommandant', 'gruppenfuehrer']);
-
-/**
- * requirePermission guard — temporary inline implementation.
- * Replace with the Tier 1 RBAC middleware when available:
- *   import { requirePermission } from '../middleware/rbac.middleware';
- */
-const requireVehicleWrite = (
-  req: Request,
-  res: Response,
-  next: NextFunction
-): void => {
-  // Once Tier 1 RBAC is merged, replace the body with:
-  //   return requirePermission('vehicles:write')(req, res, next);
-  //
-  // Temporary implementation: check the role field on the JWT payload.
-  // The role is stored in req.user once authenticate() has run (Tier 1 adds it).
-  const role = (req.user as any)?.role as string | undefined;
-
-  if (!role || !WRITE_ROLES.has(role)) {
-    res.status(403).json({
-      success: false,
-      message: 'Keine Berechtigung für diese Aktion (vehicles:write erforderlich)',
-    });
-    return;
-  }
-
-  next();
-};
-
-// ---------------------------------------------------------------------------
+const ADMIN_GROUPS      = ['dashboard_admin'];
+const STATUS_GROUPS     = ['dashboard_admin', 'dashboard_fahrmeister'];
 
 const router = Router();
 
@@ -86,7 +47,7 @@ router.get('/:id/pruefungen', authenticate, vehicleController.getPruefungen.bind
  */
 router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehicleController));
 
-// ── Write endpoints (vehicles:write role required) ─────────────────────────────
+// ── Write endpoints (dashboard_admin group required) ────────────────────────
 
 /**
  * POST /api/vehicles
@@ -95,7 +56,7 @@ router.get('/:id/wartung', authenticate, vehicleController.getWartung.bind(vehic
 router.post(
   '/',
   authenticate,
-  requireVehicleWrite,
+  requireGroups(ADMIN_GROUPS),
   vehicleController.createVehicle.bind(vehicleController)
 );
 
@@ -106,19 +67,19 @@ router.post(
 router.patch(
   '/:id',
   authenticate,
-  requireVehicleWrite,
+  requireGroups(ADMIN_GROUPS),
   vehicleController.updateVehicle.bind(vehicleController)
 );
 
 /**
  * PATCH /api/vehicles/:id/status
- * Live status change — Socket.IO hook point for Tier 3.
+ * Live status change — dashboard_admin or dashboard_fahrmeister required.
  * The `io` instance is retrieved inside the controller via req.app.get('io').
  */
 router.patch(
   '/:id/status',
   authenticate,
-  requireVehicleWrite,
+  requireGroups(STATUS_GROUPS),
   vehicleController.updateVehicleStatus.bind(vehicleController)
 );
 
@@ -129,7 +90,7 @@ router.patch(
 router.post(
   '/:id/pruefungen',
   authenticate,
-  requireVehicleWrite,
+  requireGroups(ADMIN_GROUPS),
   vehicleController.addPruefung.bind(vehicleController)
 );
 
@@ -140,8 +101,20 @@ router.post(
 router.post(
   '/:id/wartung',
   authenticate,
-  requireVehicleWrite,
+  requireGroups(ADMIN_GROUPS),
   vehicleController.addWartung.bind(vehicleController)
 );
 
+/**
+ * DELETE /api/vehicles/:id
+ * Delete a vehicle — dashboard_admin only.
+ * NOTE: vehicleController.deleteVehicle needs to be implemented.
+ */
+router.delete(
+  '/:id',
+  authenticate,
+  requireGroups(ADMIN_GROUPS),
+  vehicleController.deleteVehicle.bind(vehicleController)
+);
+
 export default router;