Adapt permissions on backend for Caroster Plus

Event

• Create: Everybody
• Find One: Everybody BUT by UUID only - Forced for the REST API
• Update:
  • C+: Event admins Need to store admins #281 (closed)
  • Other: Everybody
• Delete: Nobody
• Find: Nobody

Travel

• Create:
  • C+: Logged user
  • Other: Everybody
• Find One: Nobody
• Update: ( #226 (closed))
  • C+: Travel creator & event admins
  • Other: Everybody
• Delete:
  • C+: Travel creator & event admins
  • Other: Everybody
• Find: Everbody but only through event fetch

Passenger

• Create:
  • C+: Logged user linked to itself
  • Other: Everybody
• Find One: Nobody
• Update: Only update travel in same event
• Delete: ( #462 (closed))
  • C+: Passenger creator & event admins
  • Other: Everybody
• Find: Everybody but only through travel & event fetch

Vehicle

• Create: Logged user
• Find One: Nobody
• Update: Logged user only its own vehicles
• Delete: Logged user only its own vehicles
• Find: Logged user only its own vehicles through profile entity

User

• Show private fields only for me endpoint (eg. disable all user field on travel{user})