[BE] Protect all backend API routes

[afazio1]

Description

Currently, our frontend code restricts views / buttons based on user role. However, some of our backend API routes are not protected.

Add authorization to our backend API routes that don't already have it. Most GET API endpoints already have protection. For instance, Volunteer/Recipients only see limited information about a dog. A lot of the action API routes are missing authorization. For instance, only Admin + Managers should be able to delete dogs.

Authorization is based on user role and/or association. You can get a user's association with a dog using our backend utility function! Try to organize your auth logic into a function that can be reused across all our API routes. Here are the rules, if you are unsure of a rule ✨ ASK LEADERSHIP ✨. Roles: Manager

• Mark logs as resolved (auth already implemented in PATCH /api/logs)
• Edit all dogs, delete all dogs, create dogs
• Change anyone roles (except other managers)
• Create logs, delete own logs, edit own logs (edge case is when they are resolving a log. In that case, they can edit the resolved property of anyone's log)
• create (invite) users

Admin

• Edit all dogs, delete all dogs, create dogs
• Can change User to Admin role
• Create logs, delete own logs, edit own logs

Associations: Instructor/Caregiver

• edit associated dog info
• create logs for associated dog, edit own logs for associated dog, delete own logs for associated log

Volunteer/Recipient

• Edit their own name
• Create logs, edit, and delete logs for dogs they are associated with