feat(server): granular permissions for api keys (#11824)

feat(server): api auth permissions

server/src/controllers/album.controller.ts

@@ -12,6 +12,7 @@ import {
 } from 'src/dtos/album.dto';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AlbumService } from 'src/services/album.service';
 import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation';
@@ -22,24 +23,24 @@ export class AlbumController {
   constructor(private service: AlbumService) {}
 
   @Get('count')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_STATISTICS })
   getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> {
     return this.service.getCount(auth);
   }
 
   @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_READ })
   getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> {
     return this.service.getAll(auth, query);
   }
 
   @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_CREATE })
   createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> {
     return this.service.create(auth, dto);
   }
 
-  @Authenticated({ sharedLink: true })
+  @Authenticated({ permission: Permission.ALBUM_READ, sharedLink: true })
   @Get(':id')
   getAlbumInfo(
     @Auth() auth: AuthDto,
@@ -50,7 +51,7 @@ export class AlbumController {
   }
 
   @Patch(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_UPDATE })
   updateAlbumInfo(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -60,7 +61,7 @@ export class AlbumController {
   }
 
   @Delete(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ALBUM_DELETE })
   deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
     return this.service.delete(auth, id);
   }