How do you implement role-based access control (RBAC) with a guard and Reflector in NestJS?
Define a @Roles() decorator using SetMetadata, build a RolesGuard that reads the metadata via Reflector.getAllAndOverride(), and apply both globally or per route. getAllAndOverride returns the first defined value — method-level metadata overrides class-level, which is the correct inheritance behavior for RBAC.
Full RBAC implementation
Reflector methods for metadata reading:
getAllAndOverride(key, [handler, class]) — returns first defined value; method overrides class.
get(key, target) — reads metadata from a single target only.
getAllAndMerge(key, [handler, class]) — merges arrays from both targets into one.
Use getAllAndOverride for RBAC so method-level roles can override class-level defaults.