Roles & Permissions

Every user has exactly one role assigned at registration. Role enforcement is handled by Spring Security's @PreAuthorize at the controller method level.

---

Roles

Role	Assigned at	Description
CUSTOMER	POST /api/register/customer	Can request and manage rides, rate drivers
DRIVER	POST /api/register/driver	Can accept rides, update location, manage vehicles and documents
ADMIN	Manual DB assignment	Can review and approve/reject driver documents

---

Permission matrix

Endpoint	CUSTOMER	DRIVER	ADMIN	Public
POST /api/register/*				✓
POST /api/login				✓
POST /api/auth/refresh				✓
POST /api/logout	✓	✓	✓
GET /api/my-account/customer	✓
PATCH /api/my-account/customer	✓
GET /api/my-account/driver		✓
PATCH /api/my-account/driver		✓
POST /api/rides	✓
DELETE /api/rides/{id}	✓
POST /api/driver/accept		✓
POST /api/driver/arrived		✓
POST /api/driver/start		✓
POST /api/driver/complete		✓
GET /api/drivers/nearby	✓
POST /api/fares/estimate	✓
POST /redis/driver/location		✓
GET /redis/nearby				✓
POST /api/rides/{id}/rate	✓	✓
GET /api/drivers/{id}/rating				✓
GET /api/my-vehicles		✓
POST /api/my-vehicles		✓
PATCH /api/my-vehicles/{id}		✓
DELETE /api/my-vehicles/{id}		✓
GET /api/my-documents		✓
POST /api/my-documents		✓
POST /api/my-documents/upload		✓
DELETE /api/my-documents/{id}		✓
GET /api/admin/documents/pending			✓
PATCH /api/admin/documents/{id}/approve			✓
PATCH /api/admin/documents/{id}/reject			✓

---

Driver account status

A newly registered driver has User.status = PENDING. This field currently does not gate any API access — it exists for a future admin approval workflow. All drivers can immediately authenticate and use the API after registration.

Driver online requirement

A driver must go ONLINE via POST /drivers/my-status before they appear in nearby searches or receive ride offers. Going online requires all three document types (LICENSE, INSURANCE, REGISTRATION) to have at least one APPROVED document. See Location Strategy for details.