Move authorization logic to the backend

Right now some authorization/permission related logic lives in the "frontend"/"web" part of the application.

It should be moved to the backend, maybe/probably into its own context Permissions or something similar. Theoretically every context can also provide functions to check its own permissions (as one context that depends on all others, is quite big) but permissions may often be cross cutting and in general an approach that centralizes these rules can often be good for the overview it provides.

This should also including scoping (i.e. taking a collection and scoping it down to the accessible records).

Why to the Backend?

The logic isn't entirely tied to the frontend/LiveView - if we had another way into the system, the logic would likely be the same
you should also never trust the FE as users can send whatever, so permissions should always be double checked on the backend side
- generally speaking, the BE should also not depend on the FE, the FE should depend on the BE
at their core these are pure functions well suited for the BE

Where are the permissions now?

They might be more scattered but right now a lot of them live in idea live: https://github.com/b310-digital/mindwendel/blob/aaa88c0f3a64c35a97d8c56e77e0b3fa8d4d0e5a/lib/mindwendel_web/live/live_helpers.ex#L6-L21

Libraries

There's a ton of libraries out there right now and I'm not entirely sure which one is best. A lot of them use more DSLs than I like but :shrug:

AppSignal blog post: https://blog.appsignal.com/2021/11/02/authorization-and-policy-scopes-for-phoenix-apps.html
bodyguard (used in above blog post): https://github.com/schrockwell/bodyguard
permit - I like the approach on a first glance but perhaps not most complete and maintained https://github.com/curiosum-dev/permit
let_me - very DSL heavy https://github.com/woylie/let_me
canada - very Ruby-like https://github.com/jarednorman/canada

b310-digital / mindwendel