Role-Based Access Control assigns permissions to roles and roles to users. A RolesGuard reads required roles from route metadata via Reflector and checks whether the authenticated user holds at least one of them. Combine with a global JwtAuthGuard so the user object is always populated before the roles check runs.
getAllAndOverride(key, [handler, class]) — method-level roles override class-level roles.
Return true when no roles are required — routes without @Roles() are accessible to all authenticated users.
Use some() not every() — the user needs at least one of the required roles, not all.
Always run RolesGuard AFTER JwtAuthGuard — req.user must be populated before roles can be checked.
Register RolesGuard via APP_GUARD alongside JwtAuthGuard for global application.