feat(api): migrar controllers admin a RequirePermission [UDT-006]

src/api/SIGCM2.Api/Controllers/PermisosController.cs

@@ -1,6 +1,7 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Permisos.Assign;
 using SIGCM2.Application.Permisos.Dtos;
@@ -9,9 +10,13 @@ using SIGCM2.Application.Permisos.List;
 
 namespace SIGCM2.Api.Controllers;
 
+/// <summary>
+/// Permisos controller — granular permission per method (UDT-006).
+/// [Authorize] at class level requires a valid JWT; each method declares its specific permission.
+/// </summary>
 [ApiController]
 [Route("api/v1")]
-[Authorize(Roles = "admin")]
+[Authorize]  // JWT required on all methods; per-method [RequirePermission] handles authz
 public sealed class PermisosController : ControllerBase
 {
     private readonly IDispatcher _dispatcher;
@@ -28,8 +33,9 @@ public sealed class PermisosController : ControllerBase
         _getRolPermisosValidator = getRolPermisosValidator;
     }
 
-    /// <summary>Lists all permisos in the canonical catalog. Requires admin role.</summary>
+    /// <summary>Lists all permisos in the canonical catalog.</summary>
     [HttpGet("permisos")]
+    [RequirePermission("administracion:permisos:ver")]
     [ProducesResponseType(typeof(IReadOnlyList<PermisoDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
     [ProducesResponseType(StatusCodes.Status403Forbidden)]
@@ -39,8 +45,9 @@ public sealed class PermisosController : ControllerBase
         return Ok(result);
     }
 
-    /// <summary>Gets all permisos assigned to a rol. Requires admin role.</summary>
+    /// <summary>Gets all permisos assigned to a rol.</summary>
     [HttpGet("roles/{codigo}/permisos")]
+    [RequirePermission("administracion:roles_permisos:gestionar", "administracion:permisos:ver")]
     [ProducesResponseType(typeof(IReadOnlyList<PermisoDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status400BadRequest)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -64,9 +71,10 @@ public sealed class PermisosController : ControllerBase
 
     /// <summary>
     /// Replace-set: replaces the full permiso assignment for a rol.
-    /// Returns the updated permiso set (200). Requires admin role.
+    /// Returns the updated permiso set (200).
     /// </summary>
     [HttpPut("roles/{codigo}/permisos")]
+    [RequirePermission("administracion:roles_permisos:gestionar")]
     [ProducesResponseType(typeof(IReadOnlyList<PermisoDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status400BadRequest)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]

src/api/SIGCM2.Api/Controllers/RolesController.cs

@@ -1,6 +1,7 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Roles.Create;
 using SIGCM2.Application.Roles.Deactivate;
@@ -13,7 +14,7 @@ namespace SIGCM2.Api.Controllers;
 
 [ApiController]
 [Route("api/v1/roles")]
-[Authorize(Roles = "admin")]
+[RequirePermission("administracion:roles:gestionar")]
 public sealed class RolesController : ControllerBase
 {
     private readonly IDispatcher _dispatcher;

src/api/SIGCM2.Api/Controllers/UsuariosController.cs

@@ -1,6 +1,7 @@
 using FluentValidation;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Usuarios.Create;
 
@@ -8,7 +9,7 @@ namespace SIGCM2.Api.Controllers;
 
 [ApiController]
 [Route("api/v1/users")]
-[Authorize(Roles = "admin")]
+[RequirePermission("administracion:usuarios:gestionar")]
 public sealed class UsuariosController : ControllerBase
 {
     private readonly IDispatcher _dispatcher;