Initial commit with Email Import Wizard and Task Processor updates

paperless-backend/src/auth/permissions.guard.ts

@@ -0,0 +1,40 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { PERMISSIONS_KEY } from './permissions.decorator';
+import { Permission } from './permissions.enum';
+
+@Injectable()
+export class PermissionsGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredPermissions = this.reflector.getAllAndOverride<Permission[]>(PERMISSIONS_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    
+    if (!requiredPermissions) {
+      return true;
+    }
+    
+    const { user } = context.switchToHttp().getRequest();
+    
+    // Let API Key requests bypass the permissions check for now, unless explicitly denied.
+    // Usually API keys have different scopes, but assuming they act as Admins for automated uploads.
+    if (user && user.apiKey) {
+      return true;
+    }
+    
+    if (!user || !user.permissions) {
+      return false;
+    }
+    
+    const userPermissions = user.permissions as Permission[];
+    
+    if (userPermissions.includes(Permission.MANAGE_ALL)) {
+      return true;
+    }
+    
+    return requiredPermissions.some((permission) => userPermissions.includes(permission));
+  }
+}