Handle permission checks in the controllers #3662
Description
Currently permission checks happen at the service classes which is kind of hard to maintain, especially when trying to reuse services outside of user calls e.g. within occ command that do not have a current user present.
Ideally the permission checks should rather happen at the controller level.
Enforcing through annotations like in talk seems like a nice approach https://github.com/nextcloud/spreed/blob/master/lib/Middleware/InjectionMiddleware.php
Additional caution required to avoid duplicate queries with the relational object structure we have.