feat(server): granular permissions for api keys (#11824)

feat(server): api auth permissions
2025-12-18 17:23:16 +03:00 · 2024-08-16 09:48:43 -04:00
parent a372b56d44
commit f230b3aa42
43 changed files with 817 additions and 135 deletions
--- a/server/src/controllers/activity.controller.ts
+++ b/server/src/controllers/activity.controller.ts
@@ -9,6 +9,7 @@ import {
  ActivityStatisticsResponseDto,
 } from 'src/dtos/activity.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ActivityService } from 'src/services/activity.service';
 import { UUIDParamDto } from 'src/validation';
@@ -19,19 +20,19 @@ export class ActivityController {
  constructor(private service: ActivityService) {}

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_READ })
  getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
    return this.service.getAll(auth, dto);
  }

  @Get('statistics')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_STATISTICS })
  getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
    return this.service.getStatistics(auth, dto);
  }

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_CREATE })
  async createActivity(
    @Auth() auth: AuthDto,
    @Body() dto: ActivityCreateDto,
@@ -46,7 +47,7 @@ export class ActivityController {

  @Delete(':id')
  @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_DELETE })
  deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(auth, id);
  }
--- a/server/src/controllers/album.controller.ts
+++ b/server/src/controllers/album.controller.ts
@@ -12,6 +12,7 @@ import {
 } from 'src/dtos/album.dto';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AlbumService } from 'src/services/album.service';
 import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation';
@@ -22,24 +23,24 @@ export class AlbumController {
  constructor(private service: AlbumService) {}

  @Get('count')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_STATISTICS })
  getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> {
    return this.service.getCount(auth);
  }

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_READ })
  getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> {
    return this.service.getAll(auth, query);
  }

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_CREATE })
  createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> {
    return this.service.create(auth, dto);
  }

-  @Authenticated({ sharedLink: true })
+  @Authenticated({ permission: Permission.ALBUM_READ, sharedLink: true })
  @Get(':id')
  getAlbumInfo(
    @Auth() auth: AuthDto,
@@ -50,7 +51,7 @@ export class AlbumController {
  }

  @Patch(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_UPDATE })
  updateAlbumInfo(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -60,7 +61,7 @@ export class AlbumController {
  }

  @Delete(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_DELETE })
  deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
    return this.service.delete(auth, id);
  }
--- a/server/src/controllers/api-key.controller.ts
+++ b/server/src/controllers/api-key.controller.ts
@@ -2,6 +2,7 @@ import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put }
 import { ApiTags } from '@nestjs/swagger';
 import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { APIKeyService } from 'src/services/api-key.service';
 import { UUIDParamDto } from 'src/validation';
@@ -12,25 +13,25 @@ export class APIKeyController {
  constructor(private service: APIKeyService) {}

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.API_KEY_CREATE })
  createApiKey(@Auth() auth: AuthDto, @Body() dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.API_KEY_READ })
  getApiKeys(@Auth() auth: AuthDto): Promise<APIKeyResponseDto[]> {
    return this.service.getAll(auth);
  }

  @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.API_KEY_READ })
  getApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<APIKeyResponseDto> {
    return this.service.getById(auth, id);
  }

  @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.API_KEY_UPDATE })
  updateApiKey(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -41,7 +42,7 @@ export class APIKeyController {

  @Delete(':id')
  @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated()
+  @Authenticated({ permission: Permission.API_KEY_DELETE })
  deleteApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(auth, id);
  }
--- a/server/src/controllers/face.controller.ts
+++ b/server/src/controllers/face.controller.ts
@@ -2,6 +2,7 @@ import { Body, Controller, Get, Param, Put, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { AssetFaceResponseDto, FaceDto, PersonResponseDto } from 'src/dtos/person.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { PersonService } from 'src/services/person.service';
 import { UUIDParamDto } from 'src/validation';
@@ -12,13 +13,13 @@ export class FaceController {
  constructor(private service: PersonService) {}

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.FACE_READ })
  getFaces(@Auth() auth: AuthDto, @Query() dto: FaceDto): Promise<AssetFaceResponseDto[]> {
    return this.service.getFacesById(auth, dto);
  }

  @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.FACE_UPDATE })
  reassignFacesById(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/library.controller.ts
+++ b/server/src/controllers/library.controller.ts
@@ -9,6 +9,7 @@ import {
  ValidateLibraryDto,
  ValidateLibraryResponseDto,
 } from 'src/dtos/library.dto';
+import { Permission } from 'src/enum';
 import { Authenticated } from 'src/middleware/auth.guard';
 import { LibraryService } from 'src/services/library.service';
 import { UUIDParamDto } from 'src/validation';
@@ -19,25 +20,25 @@ export class LibraryController {
  constructor(private service: LibraryService) {}

  @Get()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_READ, admin: true })
  getAllLibraries(): Promise<LibraryResponseDto[]> {
    return this.service.getAll();
  }

  @Post()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_CREATE, admin: true })
  createLibrary(@Body() dto: CreateLibraryDto): Promise<LibraryResponseDto> {
    return this.service.create(dto);
  }

  @Put(':id')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_UPDATE, admin: true })
  updateLibrary(@Param() { id }: UUIDParamDto, @Body() dto: UpdateLibraryDto): Promise<LibraryResponseDto> {
    return this.service.update(id, dto);
  }

  @Get(':id')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_READ, admin: true })
  getLibrary(@Param() { id }: UUIDParamDto): Promise<LibraryResponseDto> {
    return this.service.get(id);
  }
@@ -52,13 +53,13 @@ export class LibraryController {

  @Delete(':id')
  @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_DELETE, admin: true })
  deleteLibrary(@Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(id);
  }

  @Get(':id/statistics')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.LIBRARY_STATISTICS, admin: true })
  getLibraryStatistics(@Param() { id }: UUIDParamDto): Promise<LibraryStatsResponseDto> {
    return this.service.getStatistics(id);
  }
--- a/server/src/controllers/memory.controller.ts
+++ b/server/src/controllers/memory.controller.ts
@@ -3,6 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto } from 'src/dtos/memory.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MemoryService } from 'src/services/memory.service';
 import { UUIDParamDto } from 'src/validation';
@@ -13,25 +14,25 @@ export class MemoryController {
  constructor(private service: MemoryService) {}

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.MEMORY_READ })
  searchMemories(@Auth() auth: AuthDto): Promise<MemoryResponseDto[]> {
    return this.service.search(auth);
  }

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.MEMORY_CREATE })
  createMemory(@Auth() auth: AuthDto, @Body() dto: MemoryCreateDto): Promise<MemoryResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MEMORY_READ })
  getMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<MemoryResponseDto> {
    return this.service.get(auth, id);
  }

  @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.MEMORY_UPDATE })
  updateMemory(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -42,7 +43,7 @@ export class MemoryController {

  @Delete(':id')
  @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated()
+  @Authenticated({ permission: Permission.MEMORY_DELETE })
  deleteMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }
--- a/server/src/controllers/partner.controller.ts
+++ b/server/src/controllers/partner.controller.ts
@@ -2,6 +2,7 @@ import { Body, Controller, Delete, Get, Param, Post, Put, Query } from '@nestjs/
 import { ApiQuery, ApiTags } from '@nestjs/swagger';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { PartnerResponseDto, PartnerSearchDto, UpdatePartnerDto } from 'src/dtos/partner.dto';
+import { Permission } from 'src/enum';
 import { PartnerDirection } from 'src/interfaces/partner.interface';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { PartnerService } from 'src/services/partner.service';
@@ -14,20 +15,20 @@ export class PartnerController {

  @Get()
  @ApiQuery({ name: 'direction', type: 'string', enum: PartnerDirection, required: true })
-  @Authenticated()
+  @Authenticated({ permission: Permission.PARTNER_READ })
  // TODO: remove 'direction' and convert to full query dto
  getPartners(@Auth() auth: AuthDto, @Query() dto: PartnerSearchDto): Promise<PartnerResponseDto[]> {
    return this.service.search(auth, dto);
  }

  @Post(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PARTNER_CREATE })
  createPartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PartnerResponseDto> {
    return this.service.create(auth, id);
  }

  @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PARTNER_UPDATE })
  updatePartner(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -37,7 +38,7 @@ export class PartnerController {
  }

  @Delete(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PARTNER_DELETE })
  removePartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }
--- a/server/src/controllers/person.controller.ts
+++ b/server/src/controllers/person.controller.ts
@@ -16,6 +16,7 @@ import {
  PersonStatisticsResponseDto,
  PersonUpdateDto,
 } from 'src/dtos/person.dto';
+import { Permission } from 'src/enum';
 import { ILoggerRepository } from 'src/interfaces/logger.interface';
 import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { PersonService } from 'src/services/person.service';
@@ -31,31 +32,31 @@ export class PersonController {
  ) {}

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
  getAllPeople(@Auth() auth: AuthDto, @Query() withHidden: PersonSearchDto): Promise<PeopleResponseDto> {
    return this.service.getAll(auth, withHidden);
  }

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_CREATE })
  createPerson(@Auth() auth: AuthDto, @Body() dto: PersonCreateDto): Promise<PersonResponseDto> {
    return this.service.create(auth, dto);
  }

  @Put()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_UPDATE })
  updatePeople(@Auth() auth: AuthDto, @Body() dto: PeopleUpdateDto): Promise<BulkIdResponseDto[]> {
    return this.service.updateAll(auth, dto);
  }

  @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
  getPerson(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonResponseDto> {
    return this.service.getById(auth, id);
  }

  @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_UPDATE })
  updatePerson(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -65,14 +66,14 @@ export class PersonController {
  }

  @Get(':id/statistics')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_STATISTICS })
  getPersonStatistics(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonStatisticsResponseDto> {
    return this.service.getStatistics(auth, id);
  }

  @Get(':id/thumbnail')
  @FileResponse()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
  async getPersonThumbnail(
    @Res() res: Response,
    @Next() next: NextFunction,
@@ -90,7 +91,7 @@ export class PersonController {
  }

  @Put(':id/reassign')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_REASSIGN })
  reassignFaces(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -100,7 +101,7 @@ export class PersonController {
  }

  @Post(':id/merge')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_MERGE })
  mergePerson(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/shared-link.controller.ts
+++ b/server/src/controllers/shared-link.controller.ts
@@ -10,6 +10,7 @@ import {
  SharedLinkPasswordDto,
  SharedLinkResponseDto,
 } from 'src/dtos/shared-link.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
 import { LoginDetails } from 'src/services/auth.service';
 import { SharedLinkService } from 'src/services/shared-link.service';
@@ -22,7 +23,7 @@ export class SharedLinkController {
  constructor(private service: SharedLinkService) {}

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.SHARED_LINK_READ })
  getAllSharedLinks(@Auth() auth: AuthDto): Promise<SharedLinkResponseDto[]> {
    return this.service.getAll(auth);
  }
@@ -48,19 +49,19 @@ export class SharedLinkController {
  }

  @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.SHARED_LINK_READ })
  getSharedLinkById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<SharedLinkResponseDto> {
    return this.service.get(auth, id);
  }

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.SHARED_LINK_CREATE })
  createSharedLink(@Auth() auth: AuthDto, @Body() dto: SharedLinkCreateDto) {
    return this.service.create(auth, dto);
  }

  @Patch(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.SHARED_LINK_UPDATE })
  updateSharedLink(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -70,7 +71,7 @@ export class SharedLinkController {
  }

  @Delete(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.SHARED_LINK_DELETE })
  removeSharedLink(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }
--- a/server/src/controllers/system-config.controller.ts
+++ b/server/src/controllers/system-config.controller.ts
@@ -1,6 +1,7 @@
 import { Body, Controller, Get, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { SystemConfigDto, SystemConfigTemplateStorageOptionDto } from 'src/dtos/system-config.dto';
+import { Permission } from 'src/enum';
 import { Authenticated } from 'src/middleware/auth.guard';
 import { SystemConfigService } from 'src/services/system-config.service';

@@ -10,25 +11,25 @@ export class SystemConfigController {
  constructor(private service: SystemConfigService) {}

  @Get()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_CONFIG_READ, admin: true })
  getConfig(): Promise<SystemConfigDto> {
    return this.service.getConfig();
  }

  @Get('defaults')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_CONFIG_READ, admin: true })
  getConfigDefaults(): SystemConfigDto {
    return this.service.getDefaults();
  }

  @Put()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_CONFIG_UPDATE, admin: true })
  updateConfig(@Body() dto: SystemConfigDto): Promise<SystemConfigDto> {
    return this.service.updateConfig(dto);
  }

  @Get('storage-template-options')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_CONFIG_READ, admin: true })
  getStorageTemplateOptions(): SystemConfigTemplateStorageOptionDto {
    return this.service.getStorageTemplateOptions();
  }
--- a/server/src/controllers/system-metadata.controller.ts
+++ b/server/src/controllers/system-metadata.controller.ts
@@ -1,6 +1,7 @@
 import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AdminOnboardingUpdateDto, ReverseGeocodingStateResponseDto } from 'src/dtos/system-metadata.dto';
+import { Permission } from 'src/enum';
 import { Authenticated } from 'src/middleware/auth.guard';
 import { SystemMetadataService } from 'src/services/system-metadata.service';

@@ -10,20 +11,20 @@ export class SystemMetadataController {
  constructor(private service: SystemMetadataService) {}

  @Get('admin-onboarding')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_METADATA_READ, admin: true })
  getAdminOnboarding(): Promise<AdminOnboardingUpdateDto> {
    return this.service.getAdminOnboarding();
  }

  @Post('admin-onboarding')
  @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_METADATA_UPDATE, admin: true })
  updateAdminOnboarding(@Body() dto: AdminOnboardingUpdateDto): Promise<void> {
    return this.service.updateAdminOnboarding(dto);
  }

  @Get('reverse-geocoding-state')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.SYSTEM_METADATA_READ, admin: true })
  getReverseGeocodingState(): Promise<ReverseGeocodingStateResponseDto> {
    return this.service.getReverseGeocodingState();
  }
--- a/server/src/controllers/tag.controller.ts
+++ b/server/src/controllers/tag.controller.ts
@@ -5,6 +5,7 @@ import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AssetIdsDto } from 'src/dtos/asset.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { CreateTagDto, TagResponseDto, UpdateTagDto } from 'src/dtos/tag.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { TagService } from 'src/services/tag.service';
 import { UUIDParamDto } from 'src/validation';
@@ -15,31 +16,31 @@ export class TagController {
  constructor(private service: TagService) {}

  @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.TAG_CREATE })
  createTag(@Auth() auth: AuthDto, @Body() dto: CreateTagDto): Promise<TagResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.TAG_READ })
  getAllTags(@Auth() auth: AuthDto): Promise<TagResponseDto[]> {
    return this.service.getAll(auth);
  }

  @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.TAG_READ })
  getTagById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<TagResponseDto> {
    return this.service.getById(auth, id);
  }

  @Patch(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.TAG_UPDATE })
  updateTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto, @Body() dto: UpdateTagDto): Promise<TagResponseDto> {
    return this.service.update(auth, id, dto);
  }

  @Delete(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.TAG_DELETE })
  deleteTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }
--- a/server/src/controllers/user-admin.controller.ts
+++ b/server/src/controllers/user-admin.controller.ts
@@ -9,6 +9,7 @@ import {
  UserAdminSearchDto,
  UserAdminUpdateDto,
 } from 'src/dtos/user.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { UserAdminService } from 'src/services/user-admin.service';
 import { UUIDParamDto } from 'src/validation';
@@ -19,25 +20,25 @@ export class UserAdminController {
  constructor(private service: UserAdminService) {}

  @Get()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_READ, admin: true })
  searchUsersAdmin(@Auth() auth: AuthDto, @Query() dto: UserAdminSearchDto): Promise<UserAdminResponseDto[]> {
    return this.service.search(auth, dto);
  }

  @Post()
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_CREATE, admin: true })
  createUserAdmin(@Body() createUserDto: UserAdminCreateDto): Promise<UserAdminResponseDto> {
    return this.service.create(createUserDto);
  }

  @Get(':id')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_READ, admin: true })
  getUserAdmin(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserAdminResponseDto> {
    return this.service.get(auth, id);
  }

  @Put(':id')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_UPDATE, admin: true })
  updateUserAdmin(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -47,7 +48,7 @@ export class UserAdminController {
  }

  @Delete(':id')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_DELETE, admin: true })
  deleteUserAdmin(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -57,13 +58,13 @@ export class UserAdminController {
  }

  @Get(':id/preferences')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ADMIN_USER_READ, admin: true })
  getUserPreferencesAdmin(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserPreferencesResponseDto> {
    return this.service.getPreferences(auth, id);
  }

  @Put(':id/preferences')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ADMIN_USER_UPDATE, admin: true })
  updateUserPreferencesAdmin(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -73,7 +74,7 @@ export class UserAdminController {
  }

  @Post(':id/restore')
-  @Authenticated({ admin: true })
+  @Authenticated({ permission: Permission.ADMIN_USER_DELETE, admin: true })
  restoreUserAdmin(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserAdminResponseDto> {
    return this.service.restore(auth, id);
  }