Function requireRole

requireRole(
...roles: ("OWNER" | "MANAGER" | "EMPLOYEE")[],
): (req: AuthRequest, res: Response, next: NextFunction) => Promise<void>
Authorisation middleware factory — Layer 2 of 2.

Returns a middleware that verifies the authenticated user is a member of the workspace in :workspaceId with one of the specified roles. Attaches the full Membership (including workspace) to req.membership.

Must be used after requireAuth since it relies on req.user.

Calls next(Forbidden(...)) if:
- The user is not a member of the workspace
- The user's role is not in the allowed roles list
Parameters
- ...roles: ("OWNER" | "MANAGER" | "EMPLOYEE")[]
  One or more roles that are permitted to access the route
Returns (req: AuthRequest, res: Response, next: NextFunction) => Promise<void>
Express middleware function
Example
```
// Only owners and managers can add employees
router.post('/:workspaceId/employees',
  requireAuth,
  requireRole('OWNER', 'MANAGER'),
  addEmployeeHandler
)

// Any workspace member can view the schedule
router.get('/:workspaceId/schedule',
  requireAuth,
  requireRole('OWNER', 'MANAGER', 'EMPLOYEE'),
  getScheduleHandler
)
```
- Defined in backend/src/middleware/auth.ts:121