Implement authorization service and refactor services to use it

- Added `AuthorizationService` and its implementation `AuthorizationServiceImpl` to handle permission checks across various services.
- Refactored `AlbumServiceImpl`, `MediaServiceImpl`, `PersonServiceImpl`, and `TagServiceImpl` to utilize the new authorization service for permission checks.
- Removed direct permission checks from services and replaced them with calls to the `AuthorizationService`.
- Updated repository interfaces to include new methods for checking media permissions in shared albums.
- Enhanced the `authz` module with new permission types for better granularity in access control.
- Adjusted the `AppState` struct to include the new `authorization_service`.

libertas_core/src/services.rs

@@ -2,11 +2,9 @@ use async_trait::async_trait;
 use uuid::Uuid;
 
 use crate::{
-    error::CoreResult,
-    models::{Album, FaceRegion, Media, MediaBundle, Person, PersonPermission, Tag, User},
-    schema::{
+    authz::Permission, error::CoreResult, models::{Album, FaceRegion, Media, MediaBundle, Person, PersonPermission, Tag, User}, schema::{
         AddMediaToAlbumData, CreateAlbumData, CreateUserData, ListMediaOptions, LoginUserData, ShareAlbumData, UpdateAlbumData, UploadMediaData
-    },
+    }
 };
 
 #[async_trait]
@@ -84,4 +82,9 @@ pub trait PersonService: Send + Sync {
         target_user_id: Uuid,
         owner_id: Uuid,
     ) -> CoreResult<()>;
+}
+
+#[async_trait]
+pub trait AuthorizationService: Send + Sync {
+    async fn check_permission(&self, user_id: Uuid, permission: Permission) -> CoreResult<()>;
 }