apps/api/src/middleware/requireRole.ts

Auto-generated by scripts/generate-file-docs.ts. Do not edit — overwritten on every run.

Purpose

requireRole / requireAnyRole — Fastify preHandler factories that enforce Plane-2 RBAC checks on top of requireAuth. ADR 0038 — both helpers now read request.auth.roles (array) instead of request.auth.role (scalar). Hierarchical check (requireRole): The maximum ordinal permission level across all of the user's active roles must be >= the minimum level for the given role. Feature roles (level 0) do not contribute to the maximum; they are evaluated via requireAnyRole(). Example: user holding ['member', 'infra_admin'] passes requireRole('admin') because max(2, 7) = 7 >= 5. Membership check (requireAnyRole): The intersection of the user's role set and the allowed set must be non-empty. Example: user holding ['member', 'media_steward'] passes requireAnyRole(['media_steward', 'admin']). ADR 0006, ADR 0023, ADR 0037, ADR 0038. /

Exports

• export function requireRole
• export function requireAnyRole

Imports

• ../lib/errors
• ../lib/response
• fastify

Imported by

• apps/api/src/features/admin/admin.router.ts
• apps/api/src/features/admin/cli.router.ts
• apps/api/src/features/announcements/announcements.router.ts
• apps/api/src/features/approval/approval.router.ts
• apps/api/src/features/events/events.router.ts
• apps/api/src/features/family-groups/family-groups.router.ts
• apps/api/src/features/groups/groups.router.ts
• apps/api/src/features/homeschool/homeschool.router.ts
• apps/api/src/features/media/media.router.ts
• apps/api/src/features/members/members.router.ts
• apps/api/src/features/sister-communities/sister-communities.router.ts
• apps/api/src/features/verses/verses.router.ts