Field level permissions

[TheSlimvReal]

As a project manager I want to make certain fields readonly for some users in order to not allowing them to edit it.
This request has come up with some organisation.

Objective
At the moment we can only provide permissions on a whole entity.
This should extend this functionality so that also certain fields can be enabled/disabled for some user roles.

Proposed Solutions & Alternatives
CASL which we use do define our permissions already allows to define so called fields to which a certain rule applies.
This theoretically already covers what we need.
To make this feature more usable, this should also result in a adaption of the UI.
Fields, which the user is not allowed to edit should stay in readonly mode when the edit button is clicked.
To detect which fields a user is not allowed to edit, CASL provides the function permittedFieldsOf to find out which fields a user can perform a certain action on.

In the backend this should also be properly implemented.
At the moment this case is only covered in the single document POST endpoint.

Steps

• Individual properties should stay disabled in forms if user has no "create" or "update" permissions
• Implement property based write in the backend for all endpoints receiving documents
• Individual properties should not be shown in forms if user has no "read" permissions
• Implement property based "read" in backend for all endpoints sending documents