Enforce API authorization based on Permissions

[rishkwal]

We need to put the following restrictions on a user based on the Permissions:

• If for a given project_id and contributor_id, the type==owner, then:
  • The contributor can createPhase, editPhase or deletePhase (on the Timeline)
  • accept, reject or counter allocations proposed for that Project by another contributor
  • Delete the project
  • Add clients and Payments to the Project
  • can create allocations to contributors
• If for a given project_id and contributor_id, the type==contributor, then:
  • They can read the details of the projects
  • can accept, reject or counter an allocation made to them by the Project admin
  • propose an allocation to themself for that specific project

[otech47]

https://github.com/setlife-network/trinary/discussions/686#discussioncomment-3681929

[otech47]

Example considerations

• all fetch project queries should read the Permissions table first to see what Projects the user has access to
• add a basic DirectiveResolver authorizedUser or authorizeContributor or authenticatedContributor
• deleteProjectById would require an owner Permission
• Exception: If a Project has is_public=true then it can be returned in a new query fetchPublicProjects and ignores any permissions for read-only operations

[otech47]

@otech47: provide sample code for Directive Resolvers