feat: role-based permissions — owner/partner/associate/paralegal/secretary (P0)

2026-03-30 11:09:05 +02:00
parent a307b29db8 0a0ec016d8
commit 8e65463130
20 changed files with 1112 additions and 123 deletions
--- a/backend/internal/auth/middleware.go
+++ b/backend/internal/auth/middleware.go
@@ -40,15 +40,19 @@ func (m *Middleware) RequireAuth(next http.Handler) http.Handler {
 		// Tenant management routes handle their own access control.
 ||||||| 82878df

-		// Resolve tenant from user_tenants
-		var tenantID uuid.UUID
-		err = m.db.GetContext(r.Context(), &tenantID,
-			"SELECT tenant_id FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
+		// Resolve tenant and role from user_tenants
+		var membership struct {
+			TenantID uuid.UUID `db:"tenant_id"`
+			Role     string    `db:"role"`
+		}
+		err = m.db.GetContext(r.Context(), &membership,
+			"SELECT tenant_id, role FROM user_tenants WHERE user_id = $1 LIMIT 1", userID)
 		if err != nil {
 			http.Error(w, "no tenant found for user", http.StatusForbidden)
 			return
 		}
-		ctx = ContextWithTenantID(ctx, tenantID)
+		ctx = ContextWithTenantID(ctx, membership.TenantID)
+		ctx = ContextWithUserRole(ctx, membership.Role)

 =======