add rbac

Author: nevzattalhaozcan

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
     push:
-        branches: [ main ]
+        branches: [ "**" ]
     pull_request:
-        branches: [ main ]    
+        branches: [ "**" ]
 
 jobs:
     test:

data/seed_users.json

@@ -6,55 +6,62 @@
       "password": "123456",
       "first_name": "John",
       "last_name": "Doe",
-      "is_active": true
+      "is_active": true,
+      "role": "admin"
     },
     {
       "username": "janedoe",
       "email": "[email protected]",
       "password": "123456",
       "first_name": "Jane",
       "last_name": "Doe",
-      "is_active": true
+      "is_active": true,
+      "role": "user"
     },
     {
       "username": "testuser1",
       "email": "[email protected]",
       "password": "123456",
       "first_name": "Test",
       "last_name": "User1",
-      "is_active": true
+      "is_active": true,
+      "role": "user"
     },
     {
       "username": "testuser2",
       "email": "[email protected]",
       "password": "123456",
       "first_name": "Test",
       "last_name": "User2",
-      "is_active": true
+      "is_active": true,
+      "role": "user"
     },
     {
       "username": "inactiveuser",
       "email": "[email protected]",
       "password": "123456",
       "first_name": "Test",
       "last_name": "User2",
-      "is_active": false
+      "is_active": false,
+      "role": "user"
     },
     {
       "username": "admin",
       "email": "[email protected]",
       "password": "admin123",
       "first_name": "Admin",
       "last_name": "User",
-      "is_active": true
+      "is_active": true,
+      "role": "admin"
     },
     {
       "username": "qa_tester",
       "email": "[email protected]",
       "password": "qa123456",
       "first_name": "QA",
       "last_name": "Tester",
-      "is_active": true
+      "is_active": true,
+      "role": "user"
     }
   ]
 }

internal/database/migrations/000001_create_users_table.up.sql

@@ -6,6 +6,7 @@ CREATE TABLE IF NOT EXISTS users (
     first_name VARCHAR(50) NOT NULL,
     last_name VARCHAR(50) NOT NULL,
     is_active BOOLEAN DEFAULT TRUE,
+    role VARCHAR(50) NOT NULL DEFAULT 'user',
     created_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     updated_at TIMESTAMP WITH TIME ZONE DEFAULT CURRENT_TIMESTAMP,
     deleted_at TIMESTAMP WITH TIME ZONE

internal/database/seed.go

@@ -17,6 +17,7 @@ type SeedUser struct {
 	FirstName string `json:"first_name"`
 	LastName  string `json:"last_name"`
 	IsActive  bool   `json:"is_active"`
+	Role      string `json:"role"`
 }
 
 type SeedData struct {
@@ -60,6 +61,7 @@ func Seed(db *gorm.DB) error {
 			FirstName: seedUser.FirstName,
 			LastName:  seedUser.LastName,
 			IsActive:  seedUser.IsActive,
+			Role:      seedUser.Role,
 		}
 
 		if err := db.Create(user).Error; err != nil {

internal/handlers/server.go

@@ -87,6 +87,7 @@ func (s *Server) setupRoutes() {
 	{
 		protected.GET("/profile", userHandler.GetProfile)
 		protected.GET("/users/:id", middleware.AuthorizeSelf(), userHandler.GetUser)
+		protected.GET("/users", middleware.RestrictToRoles("admin", "superuser"), userHandler.GetAllUsers)
 	}
 }
 

internal/handlers/user.go

@@ -141,3 +141,19 @@ func (h *UserHandler) GetUser(c *gin.Context) {
 	c.JSON(http.StatusOK, gin.H{"user": user})
 }
 
+// @Summary Get all users
+// @Description Retrieve a list of all users
+// @Tags Users
+// @Produce json
+// @Success 200 {object} map[string]interface{} "Users retrieved successfully"
+// @Failure 500 {object} map[string]string "Internal server error"
+// @Router /api/v1/users [get]
+func (h *UserHandler) GetAllUsers(c *gin.Context) {
+	users, err := h.userService.GetAllUsers()
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"users": users})
+}

internal/middleware/auth.go

@@ -28,7 +28,7 @@ func AuthMiddleware(cfg *config.Config) gin.HandlerFunc {
 		}
 
 		c.Set("user_id", claims.UserID)
-		c.Set("user_email", claims.Email)
+		c.Set("role", claims.Role)
 		c.Next()
 	}
 }
@@ -70,4 +70,32 @@ func AuthorizeSelf() gin.HandlerFunc {
 
 		c.Next()
 	}
+}
+
+func RestrictToRoles(allowedRoles ...string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userRoleRaw, exists := c.Get("role")
+		if !exists {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "user not authenticated"})
+			c.Abort()
+			return
+		}
+
+		userRole, ok := userRoleRaw.(string)
+		if !ok {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid user role in context"})
+			c.Abort()
+			return
+		}
+
+		for _, role := range allowedRoles {
+			if userRole == role {
+				c.Next()
+				return
+			}
+		}
+
+		c.JSON(http.StatusForbidden, gin.H{"error": "forbidden"})
+		c.Abort()
+	}
 }

internal/models/user.go

@@ -14,6 +14,7 @@ type User struct {
 	FirstName string `json:"first_name" validate:"min=2,max=50"`
 	LastName string `json:"last_name" validate:"min=2,max=50"`
 	IsActive bool `json:"is_active" gorm:"default:true"`
+	Role string `json:"role" validate:"required,oneof=admin user moderator support superuser" gorm:"default:'user'"`
 	CreatedAt time.Time `json:"created_at"`
 	UpdatedAt time.Time `json:"updated_at"`
 	DeletedAt gorm.DeletedAt `json:"-" gorm:"index"`
@@ -26,6 +27,7 @@ type UserResponse struct {
 	FirstName string    `json:"first_name"`
 	LastName  string    `json:"last_name"`
 	IsActive  bool      `json:"is_active"`
+	Role 	string    `json:"role"`
 	CreatedAt time.Time `json:"created_at"`
 }
 
@@ -40,6 +42,7 @@ type RegisterRequest struct {
 	Password  string `json:"password" validate:"required,min=6"`
 	FirstName string `json:"first_name" validate:"required,min=2,max=50"`
 	LastName  string `json:"last_name" validate:"required,min=2,max=50"`
+	Role      string `json:"role" validate:"omitempty,oneof=admin user moderator support superuser" gorm:"default:'user'"`
 }
 
 func (u *User) ToResponse() UserResponse {
@@ -50,6 +53,7 @@ func (u *User) ToResponse() UserResponse {
 		FirstName: u.FirstName,
 		LastName:  u.LastName,
 		IsActive:  u.IsActive,
+		Role:      u.Role,
 		CreatedAt: u.CreatedAt,
 	}
 }

internal/repository/user_cache.go

@@ -32,6 +32,7 @@ type userCacheEntry struct {
     FirstName    string    `json:"first_name"`
     LastName     string    `json:"last_name"`
     IsActive     bool      `json:"is_active"`
+	Role         string    `json:"role"`
     CreatedAt    time.Time `json:"created_at"`
     UpdatedAt    time.Time `json:"updated_at"`
 }
@@ -45,6 +46,7 @@ func toCache(user *models.User) *userCacheEntry {
         FirstName:    user.FirstName,
         LastName:     user.LastName,
         IsActive:     user.IsActive,
+        Role:         user.Role,
         CreatedAt:    user.CreatedAt,
         UpdatedAt:    user.UpdatedAt,
     }
@@ -59,6 +61,7 @@ func toModel(entry *userCacheEntry) *models.User {
         FirstName:    entry.FirstName,
         LastName:     entry.LastName,
         IsActive:     entry.IsActive,
+        Role:         entry.Role,
         CreatedAt:    entry.CreatedAt,
         UpdatedAt:    entry.UpdatedAt,
     }
@@ -102,6 +105,10 @@ func (r *cachedUserRepository) Create(user *models.User) error {
 	}
 
 	ctx := context.Background()
+
+	if saved, err := r.base.GetByID(user.ID); err == nil && saved != nil {
+		user = saved
+	}
 
 	r.set(ctx, r.keyByID(user.ID), user)
 	r.set(ctx, r.keyByEmail(user.Email), user)

internal/services/user.go

@@ -39,13 +39,18 @@ func (s *UserService) Register(req *models.RegisterRequest) (*models.UserRespons
 		return nil, err
 	}
 
+	if req.Role == "" {
+		req.Role = "user"
+	}
+
 	user := &models.User{
 		Username: req.Username,
 		Email:    req.Email,
 		PasswordHash: hashedPassword,
 		FirstName: req.FirstName,
 		LastName:  req.LastName,
 		IsActive: true,
+		Role: req.Role,
 	}
 
 	if err := s.userRepo.Create(user); err != nil {
@@ -75,7 +80,7 @@ func (s *UserService) Login(req *models.LoginRequest) (string, *models.UserRespo
 
 	token, err := utils.GenerateJWT(
 		user.ID, 
-		user.Email, 
+		user.Role, 
 		s.config.JWT.Secret, 
 		s.config.JWT.ExpirationHours,
 	)
@@ -99,4 +104,18 @@ func (s *UserService) GetUserByID(id uint) (*models.UserResponse, error) {
 
 	response := user.ToResponse()
 	return &response, nil
+}
+
+func (s *UserService) GetAllUsers() ([]models.UserResponse, error) {
+	users, err := s.userRepo.List(50, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var responses []models.UserResponse
+	for _, user := range users {
+		responses = append(responses, user.ToResponse())
+	}
+
+	return responses, nil
 }