const { logger } = require('./logger');

function adminOnly(req, res, next) {
  const role = req.user?.role;
  if (!role || !['admin', 'super_admin'].includes(role)) {
    logger.warn('adminOnly:forbidden', {
      role,
      route: req.originalUrl,
      method: req.method
    });
    return res.status(403).json({ success: false, message: 'Admin role required' });
  }
  next();
}

module.exports = adminOnly;