Problem Statement - Implement ACL (access control list) for e-commerce website

Following stuff needs to be implemented

1. Implement a signup API having following properties (All fields are mandatory)
a) Username which should be unique.
b) Password which should be alphanumeric.
c) Role of user - which can be either admin, seller, supporter, customer
2. Permissions against a role are as follows :-
(
ADMIN - has all permissions i.e. create, update, delete or fetch data
SELLER - has permission to fetch, create, update or fetch data (not allowed to delete)
SUPPORTER - has permission to delete or fetch data
CUSTOMER - only has permission to fetch data
)
a) These permissions need to be saved into the DB as they may vary with time, the
same needs to be fetched from the DB when required to authorize the user.
3. Implement a login API having following properties
a) Username
b) Password
4. Implement ACL into the project for “{BASE_URL}/products” endpoint against all
REST methods (via auth guard which should work for all)
a) If the logged in user is admin he should be able to access all the endpoints.
b) For POST, PUT or PATCH methods against the endpoint “/products”
customer/supporter should not be having access.
c) For the Get methods against the endpoint “/products” all should be having access
d) For the Delete method against the endpoint “/products” only the supporter should be
having access.
e) If the user is unauthorized against any endpoint return following -
Response - { message: “Not authorized to access endpoint” }
Status code - 401
f) If the user is authorized return following as per the endpoint method type -
GET ->
Response - { message: “Products sent successfully” }
Status code - 200
POST ->
Response - { message: “Product added successfully” }
Status code - 201
PUT, PATCH ->
Response - { message: “Product updated successfully” }
Status code - 200
DELETE ->
Response - { message: “Product deleted successfully” }
Status code - 200
Note - No logic needs to be written in the controller layer and it should return the above
mentioned response along with status code once the user is allowed to access the endpoint via
auth guard
5. ACL should not be there on the login/signup endpoint.
6. ACL logic should be generic so that in future if we want to have some sort of ACL on any
other endpoints or a new role is introduced the changes should be very minimal.
7. Code must be clear and easy to understand.
8. Bonus marks for writing unit test cases against your endpoints.
9. Proper error handling must be there.
10. No external library should be used for applying the logic of ACL.