- Add requireAdminRole middleware to web UI that checks
claims.HasRole("admin") and returns 403 if absent
- Apply middleware to all admin routes (accounts, policies,
audit, dashboard, credentials)
- Remove redundant inline admin check from handleAdminResetPassword
- Profile routes correctly require only authentication, not admin
Security: The admin/adminGet middleware wrappers only called
requireCookieAuth (JWT validation) but never verified the admin
role. Any authenticated user could access admin endpoints
including role assignment. Fixed by inserting requireAdminRole
into the middleware chain for all admin routes.
Kyle Isom
8d9d9da6f5