solve #62

[KUNDAN1334]

Summary

Feature: Role/permission-based authorization for bulk delete brains endpoint (DELETE /web/brains/deleteall).

Issue Solved:
Previously, any authenticated user could trigger a destructive bulk delete operation. This PR restricts access to only COMPANY and MANAGER roles with the brain.delete_all permission.
Additional safeguards include rate limiting, audit logging, feature flag support, and explicit confirmation via request parameter.

Motivation & Context:
Improves security, compliance, and operational safety for destructive API actions.

Change Type

• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update
• Translation update

Testing

Test Process:

• Verified only users with COMPANY or MANAGER roles and brain.delete_all permission can access the endpoint.
• Confirmed regular users receive 403 Forbidden.
• Checked audit logs for all bulk delete attempts.
• Tested rate limiting by repeated requests.
• Toggled feature flag to disable/enable endpoint.
• Ensured confirm=true param is required for deletion.

Test Configuration:

• OS: Ubuntu 24.04.2 LTS (dev container)
• Node.js version: [your version here]
• Database: [your database here]
• Test users: COMPANY, MANAGER, regular user

Checklist

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have commented in any complex areas of my code
• I have made pertinent documentation changes
• My changes do not introduce new warnings
• I have written tests demonstrating that my changes are effective or that my feature works
• Local unit tests pass with my changes
• Any changes dependent on mine have been merged and published in downstream modules.
• A pull request for updating the documentation has been submitted.

[chsjd]

Hi @KUNDAN1334,

I pulled your PR and ran the application through Docker, but it’s showing Python code — even though we’ve already removed Python from our GitHub repository.

Please take a fresh clone of the Weam GitHub repo, where you’ll now find the updated Next.js and Node.js folders. Add your changes to this new codebase, and then we can proceed with the merge.