# app/security/rbac.py
from functools import wraps
from flask import flash, redirect, url_for
from flask_login import current_user, login_required

def role_required(*roles):
    def decorator(fn):
        @wraps(fn)
        @login_required
        def wrapper(*a, **kw):
            if current_user.role not in roles:
                flash("Доступ заборонено", "danger")
                return redirect(url_for("main_bp.index"))
            return fn(*a, **kw)
        return wrapper
    return decorator