feat(server): granular permissions for api keys (#11824)

feat(server): api auth permissions

server/src/controllers/activity.controller.ts

@@ -9,6 +9,7 @@ import {
   ActivityStatisticsResponseDto,
 } from 'src/dtos/activity.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
+import { Permission } from 'src/enum';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ActivityService } from 'src/services/activity.service';
 import { UUIDParamDto } from 'src/validation';
@@ -19,19 +20,19 @@ export class ActivityController {
   constructor(private service: ActivityService) {}
 
   @Get()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_READ })
   getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
     return this.service.getAll(auth, dto);
   }
 
   @Get('statistics')
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_STATISTICS })
   getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
     return this.service.getStatistics(auth, dto);
   }
 
   @Post()
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_CREATE })
   async createActivity(
     @Auth() auth: AuthDto,
     @Body() dto: ActivityCreateDto,
@@ -46,7 +47,7 @@ export class ActivityController {
 
   @Delete(':id')
   @HttpCode(HttpStatus.NO_CONTENT)
-  @Authenticated()
+  @Authenticated({ permission: Permission.ACTIVITY_DELETE })
   deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
     return this.service.delete(auth, id);
   }