feat: RBAC controlling

apps/csms/src/routes/charge-points.ts

@@ -2,14 +2,20 @@ import { Hono } from "hono";
 import { desc, eq, sql } from "drizzle-orm";
 import { useDrizzle } from "@/lib/db.js";
 import { chargePoint, connector } from "@/db/schema.js";
+import type { HonoEnv } from "@/types/hono.ts";
 
-const app = new Hono();
+const app = new Hono<HonoEnv>();
 
 /** GET /api/charge-points  —  list all charge points with connectors */
 app.get("/", async (c) => {
   const db = useDrizzle();
+  const isAdmin = c.get("user")?.role === "admin";
 
-  const cps = await db.select().from(chargePoint).orderBy(desc(chargePoint.createdAt));
+  const cps = await db
+    .select()
+    .from(chargePoint)
+    .where(isAdmin ? undefined : eq(chargePoint.registrationStatus, "Accepted"))
+    .orderBy(desc(chargePoint.createdAt));
 
   // Attach connectors (connectorId > 0 only, excludes the main-controller row)
   const connectors = cps.length
@@ -37,6 +43,7 @@ app.get("/", async (c) => {
 
 /** POST /api/charge-points  —  manually pre-register a charge point */
 app.post("/", async (c) => {
+  if (c.get("user")?.role !== "admin") return c.json({ error: "Forbidden" }, 403);
   const db = useDrizzle();
   const body = await c.req.json<{
     chargePointIdentifier: string;
@@ -88,6 +95,7 @@ app.get("/:id", async (c) => {
 
 /** PATCH /api/charge-points/:id  —  update charge point fields */
 app.patch("/:id", async (c) => {
+  if (c.get("user")?.role !== "admin") return c.json({ error: "Forbidden" }, 403);
   const db = useDrizzle();
   const id = c.req.param("id");
   const body = await c.req.json<{
@@ -134,6 +142,7 @@ app.patch("/:id", async (c) => {
 
 /** DELETE /api/charge-points/:id  —  delete a charge point (cascades to connectors, transactions, meter values) */
 app.delete("/:id", async (c) => {
+  if (c.get("user")?.role !== "admin") return c.json({ error: "Forbidden" }, 403);
   const db = useDrizzle();
   const id = c.req.param("id");