feat(server): granular permissions for api keys (#11824)

feat(server): api auth permissions

server/src/controllers/person.controller.ts

@@ -16,6 +16,7 @@ import {
   PersonStatisticsResponseDto,
   PersonUpdateDto,
 } from 'src/dtos/person.dto';
+import { Permission } from 'src/enum';
 import { ILoggerRepository } from 'src/interfaces/logger.interface';
 import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { PersonService } from 'src/services/person.service';
@@ -31,31 +32,31 @@ export class PersonController {
   ) {}
 
   @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
   getAllPeople(@Auth() auth: AuthDto, @Query() withHidden: PersonSearchDto): Promise<PeopleResponseDto> {
     return this.service.getAll(auth, withHidden);
   }
 
   @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_CREATE })
   createPerson(@Auth() auth: AuthDto, @Body() dto: PersonCreateDto): Promise<PersonResponseDto> {
     return this.service.create(auth, dto);
   }
 
   @Put()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_UPDATE })
   updatePeople(@Auth() auth: AuthDto, @Body() dto: PeopleUpdateDto): Promise<BulkIdResponseDto[]> {
     return this.service.updateAll(auth, dto);
   }
 
   @Get(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
   getPerson(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonResponseDto> {
     return this.service.getById(auth, id);
   }
 
   @Put(':id')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_UPDATE })
   updatePerson(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -65,14 +66,14 @@ export class PersonController {
   }
 
   @Get(':id/statistics')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_STATISTICS })
   getPersonStatistics(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonStatisticsResponseDto> {
     return this.service.getStatistics(auth, id);
   }
 
   @Get(':id/thumbnail')
   @FileResponse()
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_READ })
   async getPersonThumbnail(
     @Res() res: Response,
     @Next() next: NextFunction,
@@ -90,7 +91,7 @@ export class PersonController {
   }
 
   @Put(':id/reassign')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_REASSIGN })
   reassignFaces(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,
@@ -100,7 +101,7 @@ export class PersonController {
   }
 
   @Post(':id/merge')
-  @Authenticated()
+  @Authenticated({ permission: Permission.PERSON_MERGE })
   mergePerson(
     @Auth() auth: AuthDto,
     @Param() { id }: UUIDParamDto,