fix(slugController): respect foreign model access permissions

[Convly]

Hey,

(related to #29)

A bit of explanation here: The contentAPI.sanitizeOutput util only sanitize your data based on the content API core controller usage (private, passwords, restricted relations), thus it is not meant to handle route level permissions checks. It is however perfect to remove unwanted properties (such as populated relations) from your response.

In theory, if you want to apply permission verification to your routes with the users & permissions plugin, you would need to pass a config: { auth: { scope: '...' } } config to your route. However, here it's not possible since the model name is dynamic (based on a request param).

While we don't support the dynamic definition of your auth config/scope based on the request params, you can still verify that the incoming request is made by an authorized user (based on the model they want to access). To do so, I'm just calling the strapi.auth.verify internal API and I give it the request auth object along with a scope to verify (here the modelUID.findOne, one can argue that we could also use the find, it's up to you). If it fails then I throw a forbidden error since it means that the user doesn't have the required permission.

I tested it on my end and it seems to work quite well, let me know what you think of it :slightly_smiling_face:

[Convly]

By the way, I totally forgot to implement it on the GraphQL Query resolver too. I can either add it tomorrow (CET) or let you do it directly.

[ComfortablyCoding]

Thank you very much for the PR fix. I will do the graphql changes in another PR.