const { sendError } = require("../utils/http");

function requireRole(...allowedRoles) {
  return (req, res, next) => {
    if (!req.user) return sendError(res, 401, "Authentication required");
    if (!allowedRoles.includes(req.user.role))
      return sendError(res, 403, "Forbidden");

    next();
  };
}

module.exports = requireRole;