feat(auth): restrict generic routes for auth models

- Added "unsupported" permission type
- Updated auth model permissions
- Added check in middleware

Author: fulleni

lib/src/middlewares/authorization_middleware.dart

@@ -84,6 +84,18 @@ Middleware authorizationMiddleware() {
               'You do not have permission to perform this action.',
             );
           }
+        case RequiredPermissionType.unsupported:
+          // This action is explicitly marked as not supported via this generic route.
+          // Return Method Not Allowed.
+          print(
+            '[AuthorizationMiddleware] Action for model "$modelName", method "$method" '
+            'is marked as unsupported via generic route.',
+          );
+          // Throw ForbiddenException to be caught by the errorHandler
+          throw ForbiddenException(
+            'Method "$method" is not supported for model "$modelName" '
+            'via this generic data endpoint.',
+          );
       }
 
       // If all checks pass, proceed to the next handler in the chain.

lib/src/registry/model_registry.dart

@@ -18,6 +18,10 @@ enum RequiredPermissionType {
 
   /// Requires the user to have a specific permission string.
   specificPermission,
+
+  /// This action is not supported via this generic route.
+  /// It is typically handled by a dedicated service or route.
+  unsupported,
 }
 
 /// Configuration for the authorization requirements of a single HTTP method
@@ -196,17 +200,15 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true, // Must be the owner
     ),
     postPermission: const ModelActionPermission(
-      type: RequiredPermissionType.none, // User creation handled by auth routes
+      type: RequiredPermissionType.unsupported, // User creation handled by auth routes
     ),
     putPermission: const ModelActionPermission(
       type: RequiredPermissionType.specificPermission,
       permission: Permissions.userUpdateOwned, // User can update their own
       requiresOwnershipCheck: true, // Must be the owner
     ),
     deletePermission: const ModelActionPermission(
-      type: RequiredPermissionType.specificPermission,
-      permission: Permissions.userDeleteOwned, // User can delete their own
-      requiresOwnershipCheck: true, // Must be the owner
+      type: RequiredPermissionType.unsupported, // User can delete their own
     ),
   ),
   // Configuration for UserAppSettings (user-owned)
@@ -220,7 +222,7 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true,
     ),
     postPermission: const ModelActionPermission(
-      type: RequiredPermissionType.none,
+      type: RequiredPermissionType.unsupported,
       // Creation of UserAppSettings is handled by the authentication service
       // during user creation, not via a direct POST to /api/v1/data.
     ),
@@ -230,7 +232,7 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true,
     ),
     deletePermission: const ModelActionPermission(
-      type: RequiredPermissionType.none,
+      type: RequiredPermissionType.unsupported,
       // Deletion of UserAppSettings is handled by the authentication service
       // during account deletion, not via a direct DELETE to /api/v1/data.
     ),
@@ -246,7 +248,7 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true,
     ),
     postPermission: const ModelActionPermission(
-      type: RequiredPermissionType.none,
+      type: RequiredPermissionType.unsupported,
       // Creation of UserContentPreferences is handled by the authentication
       // service during user creation, not via a direct POST to /api/v1/data.
     ),
@@ -256,7 +258,7 @@ final modelRegistry = <String, ModelConfig<dynamic>>{
       requiresOwnershipCheck: true,
     ),
     deletePermission: const ModelActionPermission(
-      type: RequiredPermissionType.none,
+      type: RequiredPermissionType.unsupported,
       // Deletion of UserContentPreferences is handled by the authentication
       // service during account deletion, not via a direct DELETE to /api/v1/data.
     ),