Api endpoint authorization

[Tomislaw]

Api endpoint authorization

Description

Implement and verify api endpoint authorization. Superusers should be able to perform all operations. Normal users should be able to edit and delete entries they created.

Checklist

• [ ] Annotation
  • [ ] superusers can perform all operations
  • [ ] only superusers can override from_user_id or from_team_id
  • [ ] owners of annotation can edit and remove their items
  • [ ] team members with sufficient permission can edit and delete annotations belonging to their team
• [ ] Content
  • [ ] superusers can perform all operations
  • [ ] only superusers can override from_user_id or from_team_id
  • [ ] owners of content can edit and remove their items
  • [ ] team members with sufficient permission can edit and delete content belonging to their team
  • [ ] Users
  • [ ] Only superusers can edit, create or remove users
  • [ ] Teams
  • [ ] Only superusers can create teams
  • [ ] Team members with sufficient permission can remove or add members
  • [ ] Team members with sufficient permission can edit permission of other members
• Embedding: skip unless this functionality is already implemented
• [ ] Auth
  • [ ] only bots or superusers can create JWT tokens

Optional

• [ ] add scopes authorization for JWT tokens

[fearnworks]

We probably need to add some clarification on the ability to edit your own user. The way this reads is in conflict with #11 :

Only superusers can edit, create or remove users

As far as deletion, we should probably spin up a conversation somewhere on how we want to handle deletion and if we need to implement some sort of soft deletion mechanism for the different tables in the db.