From 209f4d74f7e18cad1c58216c814388f2e162b48c Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Sat, 10 Jan 2026 14:13:08 -0300
Subject: [PATCH] feat(rbac): add missing route permissions

- Add /api/email/** routes
- Add messaging channels: telegram, whatsapp, msteams, instagram
- Add /api/pages/** routes
- Add /api/insights/** routes
- Add /api/app-logs/** routes
- Add /api/user/** for user profile
- Add /api/ui/email/** HTMX routes
---
 src/security/rbac_middleware.rs | 36 +++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/src/security/rbac_middleware.rs b/src/security/rbac_middleware.rs
index 8efa651cf..7d4b29f67 100644
--- a/src/security/rbac_middleware.rs
+++ b/src/security/rbac_middleware.rs
@@ -1144,6 +1144,40 @@ pub fn build_default_route_permissions() -> Vec<RoutePermission> {
         RoutePermission::new("/api/llm/**", "GET", ""),
         RoutePermission::new("/api/llm/**", "POST", ""),
 
+        // Email
+        RoutePermission::new("/api/email/**", "GET", ""),
+        RoutePermission::new("/api/email/**", "POST", ""),
+        RoutePermission::new("/api/email/**", "PUT", ""),
+        RoutePermission::new("/api/email/**", "DELETE", ""),
+
+        // Messaging channels
+        RoutePermission::new("/api/telegram/**", "GET", ""),
+        RoutePermission::new("/api/telegram/**", "POST", ""),
+        RoutePermission::new("/api/whatsapp/**", "GET", ""),
+        RoutePermission::new("/api/whatsapp/**", "POST", ""),
+        RoutePermission::new("/api/msteams/**", "GET", ""),
+        RoutePermission::new("/api/msteams/**", "POST", ""),
+        RoutePermission::new("/api/instagram/**", "GET", ""),
+        RoutePermission::new("/api/instagram/**", "POST", ""),
+
+        // Pages
+        RoutePermission::new("/api/pages/**", "GET", ""),
+        RoutePermission::new("/api/pages/**", "POST", ""),
+        RoutePermission::new("/api/pages/**", "PUT", ""),
+        RoutePermission::new("/api/pages/**", "DELETE", ""),
+
+        // Insights
+        RoutePermission::new("/api/insights/**", "GET", ""),
+        RoutePermission::new("/api/insights/**", "POST", ""),
+
+        // App logs
+        RoutePermission::new("/api/app-logs/**", "GET", ""),
+        RoutePermission::new("/api/app-logs/**", "POST", ""),
+
+        // User profile (own user)
+        RoutePermission::new("/api/user/**", "GET", ""),
+        RoutePermission::new("/api/user/**", "PUT", ""),
+
         // =====================================================================
         // UI ROUTES (HTMX endpoints) - authenticated users
         // =====================================================================
@@ -1188,6 +1222,8 @@ pub fn build_default_route_permissions() -> Vec<RoutePermission> {
         RoutePermission::new("/api/ui/social/**", "GET", ""),
         RoutePermission::new("/api/ui/settings/**", "GET", ""),
         RoutePermission::new("/api/ui/autotask/**", "GET", ""),
+        RoutePermission::new("/api/ui/email/**", "GET", ""),
+        RoutePermission::new("/api/ui/email/**", "POST", ""),
 
         // =====================================================================
         // ADMIN ROUTES (requires Admin or SuperAdmin role)