updates

Frontend/src/features/auth/components/AdminRoute.tsx

@@ -7,13 +7,21 @@ interface AdminRouteProps {
   children: React.ReactNode;
 }
 
+/**
+ * SECURITY NOTE: This component performs CLIENT-SIDE authorization checks only.
+ * These checks are for UX purposes (showing/hiding UI elements).
+ * 
+ * ALL authorization must be enforced server-side. Client-side checks can be bypassed
+ * by modifying localStorage or browser DevTools. The backend API must validate
+ * user roles and permissions for every request.
+ */
 const AdminRoute: React.FC<AdminRouteProps> = ({ 
   children
 }) => {
   const { isAuthenticated, userInfo, isLoading } = useAuthStore();
   const { openModal } = useAuthModal();
   
-  
+  // SECURITY: Client-side role check - backend must also validate
   useEffect(() => {
     if (!isLoading && !isAuthenticated) {
       openModal('login');
@@ -45,6 +53,8 @@ const AdminRoute: React.FC<AdminRouteProps> = ({
   }
 
   
+  // SECURITY: Client-side role check - MUST be validated server-side
+  // This check can be bypassed by modifying localStorage
   const isAdmin = userInfo?.role === 'admin';
   if (!isAdmin) {
     // Redirect to appropriate dashboard based on role