RBAC via casbin

src/app.rs

@@ -56,6 +56,20 @@ impl Hooks for App {
         environment.load()
     }
 
+    /// Attach the Casbin authorization layer on top of all routes. Order
+    /// matters: `inject_subject` is the outermost layer so it runs first and
+    /// stamps the JWT-derived role onto the request before the inner
+    /// `CasbinAxumLayer` enforces the policy. See `shared::rbac`.
+    async fn after_routes(router: axum::Router, ctx: &AppContext) -> Result<axum::Router> {
+        let casbin = crate::shared::rbac::layer().await?;
+        Ok(router
+            .layer(casbin)
+            .layer(axum::middleware::from_fn_with_state(
+                ctx.clone(),
+                crate::shared::rbac::inject_subject,
+            )))
+    }
+
     async fn initializers(_ctx: &AppContext) -> Result<Vec<Box<dyn Initializer>>> {
         Ok(vec![
             Box::new(initializers::view_engine::ViewEngineInitializer),