fix: enforce admin role requirement for SMTP configuration access

backend/internal/api/handlers/settings_handler.go

@@ -532,6 +532,10 @@ type SMTPConfigRequest struct {
 
 // GetSMTPConfig returns the current SMTP configuration.
 func (h *SettingsHandler) GetSMTPConfig(c *gin.Context) {
+	if !requireAdmin(c) {
+		return
+	}
+
 	config, err := h.MailService.GetSMTPConfig()
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch SMTP configuration"})

backend/internal/api/handlers/settings_handler_test.go

@@ -999,6 +999,25 @@ func TestSettingsHandler_GetSMTPConfig_DatabaseError(t *testing.T) {
 	assert.Equal(t, http.StatusInternalServerError, w.Code)
 }
 
+func TestSettingsHandler_GetSMTPConfig_NonAdminForbidden(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler, _ := setupSettingsHandlerWithMail(t)
+
+	router := gin.New()
+	router.Use(func(c *gin.Context) {
+		c.Set("role", "user")
+		c.Set("userID", uint(2))
+		c.Next()
+	})
+	router.GET("/api/v1/settings/smtp", handler.GetSMTPConfig)
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/api/v1/settings/smtp", http.NoBody)
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusForbidden, w.Code)
+}
+
 func TestSettingsHandler_UpdateSMTPConfig_NonAdmin(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	handler, _ := setupSettingsHandlerWithMail(t)

backend/internal/api/routes/routes.go

@@ -277,7 +277,7 @@ func RegisterWithDeps(router *gin.Engine, db *gorm.DB, cfg config.Config, caddyM
 		protected.PATCH("/config", settingsHandler.PatchConfig)     // Bulk configuration update
 
 		// SMTP Configuration
-		protected.GET("/settings/smtp", settingsHandler.GetSMTPConfig)
+		protected.GET("/settings/smtp", middleware.RequireRole("admin"), settingsHandler.GetSMTPConfig)
 		protected.POST("/settings/smtp", settingsHandler.UpdateSMTPConfig)
 		protected.POST("/settings/smtp/test", settingsHandler.TestSMTPConfig)
 		protected.POST("/settings/smtp/test-email", settingsHandler.SendTestEmail)