feat(auth): implement role-based access control and user management features

backend/src/products/products.controller.ts

@@ -19,6 +19,7 @@ import { UpdateCanonicalNameDto } from './dto/update-canonical-name.dto';
 import { SetTagsDto } from './dto/set-tags.dto';
 import { UpsertNutritionDto } from './dto/upsert-nutrition.dto';
 import { BulkUpdateProductsDto } from './dto/bulk-update-products.dto';
+import { Roles } from '../auth/decorators/roles.decorator';
 
 @Controller('products')
 export class ProductsController {
@@ -50,6 +51,7 @@ export class ProductsController {
     return this.productsService.previewMerge(sourceProductId, targetProductId);
   }
 
+  @Roles('admin')
   @Post('backfill-canonical')
   backfillCanonical() {
     return this.productsService.backfillCanonicalNames();
@@ -65,6 +67,7 @@ export class ProductsController {
     return this.productsService.create(body);
   }
 
+  @Roles('admin')
   @Post('merge')
   merge(@Body() body: MergeProductsDto) {
     return this.productsService.merge(body.sourceProductId, body.targetProductId);
@@ -102,22 +105,26 @@ export class ProductsController {
     return this.productsService.update(id, body);
   }
 
+  @Roles('admin')
   @Delete(':id')
   remove(@Param('id', ParseIntPipe) id: number) {
     return this.productsService.remove(id);
   }
 
+  @Roles('admin')
   @Post(':id/restore')
   restore(@Param('id', ParseIntPipe) id: number) {
     return this.productsService.restore(id);
   }
 
+  @Roles('admin')
   @Post('reset-all')
   @HttpCode(200)
   resetAll() {
     return this.productsService.resetAll();
   }
 
+  @Roles('admin')
   @Post('bulk-update')
   @HttpCode(200)
   bulkUpdate(@Body() body: BulkUpdateProductsDto) {