Skip to content

feat: Role-Based Access Control (RBAC) and Admin Dashboard#387

Open
swetalin-10 wants to merge 3 commits into
niharika-mente:mainfrom
swetalin-10:feat/rbac-admin-dashboard
Open

feat: Role-Based Access Control (RBAC) and Admin Dashboard#387
swetalin-10 wants to merge 3 commits into
niharika-mente:mainfrom
swetalin-10:feat/rbac-admin-dashboard

Conversation

@swetalin-10

@swetalin-10 swetalin-10 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Fixes #179

Overview

Adds a role field to users, an admin middleware that gates write operations on products, and a protected /admin dashboard where admins can view, create, edit, and delete inventory.

Backend changes

BACKEND/models/user.model.js

Added role: { type: String, enum: ['user', 'admin'], default: 'user' }. All existing users default to 'user' — no migration needed.

BACKEND/middleware/adminMiddleware.js (new)

Returns 403 Access denied if req.user.role !== 'admin'. Chained after authMiddleware so the user is already verified.

BACKEND/middleware/authMiddleware.js

Exposes role on req.user so downstream middleware can inspect it.

BACKEND/routes/product.route.js

POST /, PUT /:id, PATCH /:id/restock, and DELETE /:id now require authMiddlewareadminMiddleware. GET routes remain public.

BACKEND/controllers/auth.controller.js

Login response now includes role in the user payload so the frontend can store it and gate UI.

Frontend changes

FRONTEND/src/components/AdminRoute.jsx (new)

Reads authToken and authUser from localStorage. Redirects guests to /login and non-admins to /. Admins pass through.

FRONTEND/src/pages/AdminDashboardPage.jsx (new)

  • Sortable product table: image thumbnail, name, category badge, price, stock (green/red badge)
  • Edit — opens a pre-filled modal; calls updateProduct from the existing product store
  • Delete — confirmation prompt then deleteProduct
  • + Add Product — opens an empty modal; calls createProduct

FRONTEND/src/App.jsx

Added <Route path="/admin" element={<AdminRoute><AdminDashboardPage /></AdminRoute>} />.

FRONTEND/src/components/ui/Navbar.jsx

A Dashboard button (purple outline) appears in the nav only when authUser.role === 'admin'.

Screenshot

Admin dashboard

How to test

  1. Register a user, then in MongoDB set role: 'admin' on that document.
  2. Log in — the Dashboard button appears in the navbar.
  3. Visit /admin to see the product table.
  4. Try POST /api/products without a token or with a non-admin token → 403.
  5. Visit /admin while logged in as a regular user → redirected to /.

@swetalin-10
feat: RBAC and admin dashboard (closes niharika-mente#179)
81e0d6e 
Backend:
- user.model.js: add role field ('user'|'admin', default 'user')
- adminMiddleware.js: new middleware - 403 if req.user.role !== 'admin'
- authMiddleware.js: expose role on req.user
- product.route.js: protect POST/PUT/PATCH/DELETE with authMiddleware + adminMiddleware
- auth.controller.js: include role in login response payload

Frontend:
- AdminRoute.jsx: redirects non-admins to / and guests to /login
- AdminDashboardPage.jsx: product table with Edit/Delete/Add; edit and
  add open a modal form that calls updateProduct/createProduct from store
- App.jsx: /admin route wrapped in AdminRoute
- Navbar.jsx: Dashboard button visible only when role === 'admin'
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown

@swetalin-10 is attempting to deploy a commit to the niharika-mente's projects Team on Vercel.

A member of the Team first needs to authorize it.

@swetalin-10
chore: merge upstream/main into feat/rbac-admin-dashboard
4a2adab 
Resolved conflicts:
- user.model.js: kept role + added resetPasswordToken/resetPasswordExpires from upstream
- adminMiddleware.js: identical logic, kept ours (quote style difference)
- App.jsx: kept AdminRoute for /admin, added forgot/reset-password routes from upstream, removed duplicate import
- Navbar.jsx: identical logic, kept ours (quote style difference)
- AdminDashboardPage.jsx: kept our CRUD product table (issue niharika-mente#179); upstream analytics dashboard is a separate feature from niharika-mente#374
- admin-dashboard.png: kept ours
Aamod-Dev
Aamod-Dev approved these changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment
edited
Loading

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...

Aamod-Dev
Aamod-Dev requested changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs changes: There are merge conflicts. Please resolve them.

@swetalin-10
chore: merge upstream/main into feat/rbac-admin-dashboard
2c7c04f 
Resolved 3 conflicts:

App.jsx: upstream added duplicate AdminDashboardPage import + ReferralDashboardPage.
Dropped the duplicate, kept ReferralDashboardPage (route already present).

Navbar.jsx (1): dropped stale localStorage-polling useEffect from HEAD —
auth state is read from useAuth() context, no polling needed.

Navbar.jsx (2): Dashboard button style — kept upstream variant=ghost
for consistency with rest of nav.
@swetalin-10 swetalin-10 requested a review from Aamod-Dev June 21, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Awaiting requested review from Aamod-Dev

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Hard SSoC26

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: Role-Based Access Control (RBAC) & Admin Dashboard

2 participants

@swetalin-10 @Aamod-Dev