http: roleAtLeast helper for the role hierarchy

internal/server/http/rbac.go

@@ -0,0 +1,26 @@
+package http
+
+import (
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
+)
+
+// rank maps each role to a numeric tier so 'A is at least B' becomes
+// 'rank[A] >= rank[B] && both are known'. Unknown roles return 0 →
+// fail-closed against either argument.
+var roleRank = map[store.Role]int{
+	store.RoleViewer:   1,
+	store.RoleOperator: 2,
+	store.RoleAdmin:    3,
+}
+
+// roleAtLeast reports whether `have` meets or exceeds `min` in the
+// admin > operator > viewer hierarchy. Either side being an unknown
+// role returns false.
+func roleAtLeast(have, min store.Role) bool {
+	h, hok := roleRank[have]
+	m, mok := roleRank[min]
+	if !hok || !mok {
+		return false
+	}
+	return h >= m
+}

internal/server/http/rbac_test.go

@@ -0,0 +1,33 @@
+package http
+
+import (
+	"testing"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
+)
+
+func TestRoleAtLeast(t *testing.T) {
+	t.Parallel()
+	cases := []struct {
+		have store.Role
+		min  store.Role
+		want bool
+	}{
+		{store.RoleViewer, store.RoleViewer, true},
+		{store.RoleOperator, store.RoleViewer, true},
+		{store.RoleAdmin, store.RoleViewer, true},
+		{store.RoleAdmin, store.RoleOperator, true},
+		{store.RoleAdmin, store.RoleAdmin, true},
+		{store.RoleViewer, store.RoleOperator, false},
+		{store.RoleViewer, store.RoleAdmin, false},
+		{store.RoleOperator, store.RoleAdmin, false},
+		{store.Role("nonsense"), store.RoleViewer, false},
+		{store.RoleAdmin, store.Role("nonsense"), false},
+	}
+	for _, c := range cases {
+		got := roleAtLeast(c.have, c.min)
+		if got != c.want {
+			t.Errorf("have=%q min=%q: got %v want %v", c.have, c.min, got, c.want)
+		}
+	}
+}