felt/internal/server/middleware/role.go

package middleware

import (
	"net/http"
)

// Role constants for operator access levels.
const (
	RoleAdmin  = "admin"
	RoleFloor  = "floor"
	RoleViewer = "viewer"
)

// roleHierarchy defines the permission level for each role.
// Higher numbers have more permissions.
var roleHierarchy = map[string]int{
	RoleViewer: 1,
	RoleFloor:  2,
	RoleAdmin:  3,
}

// RequireRole returns middleware that checks the operator has at least the
// given role level. Admin > Floor > Viewer.
func RequireRole(minRole string) func(http.Handler) http.Handler {
	minLevel := roleHierarchy[minRole]

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			role := OperatorRole(r)
			level := roleHierarchy[role]

			if level < minLevel {
				http.Error(w, `{"error":"insufficient permissions"}`, http.StatusForbidden)
				return
			}

			next.ServeHTTP(w, r)
		})
	}
}