Untitled

const rolePermissions = {
    admin: {
        '/orders': ['get', 'post', 'put', 'delete'],
        '/orders/:id': ['get', 'put', 'delete'],
        // other routes
    },
    transactionStaff: {
        '/orders': ['get'],
        '/orders/:id': ['get'],
        // other routes
    },
    // other roles
};

const aclMiddleware = (req, res, next) => {
    const userRole = req.user.role; // Assuming the user role is available
    const requestedRoute = req.route.path;
    const method = req.method.toLowerCase();

    const isAllowed = rolePermissions[userRole] &&
                      rolePermissions[userRole][requestedRoute] &&
                      rolePermissions[userRole][requestedRoute].includes(method);

    if (isAllowed) {
        next();
    } else {
        res.status(403).send('Access Denied');
    }
};

const express = require("express");
const app = express();

app.use(aclMiddleware);

// Define your routes

// Public routes
app.get("/public-endpoint", publicController.handler);

// Apply ACL middleware
app.use(aclMiddleware);

// Protected routes
app.post("/orders", orderController.create);