Add api_scope target for IAM policy

app/routing/middleware/api/Permission.middleware.js

@@ -1,7 +1,13 @@
 const { Middleware } = require('libflitter')
 
 class PermissionMiddleware extends Middleware {
+    static get services() {
+        return [...super.services, 'models']
+    }
+
     async test(req, res, next, { check }) {
+        const Policy = this.models.get('iam:Policy')
+
         // If the request was authorized using an OAuth2 bearer token,
         // make sure the associated client has permission to access this endpoint.
         if ( req?.oauth?.client ) {
@@ -11,8 +17,11 @@ class PermissionMiddleware extends Middleware {
                     .api()
         }
 
+        const policy_denied = await Policy.check_user_denied(req.user, check)
+        const policy_access = await Policy.check_user_access(req.user, check)
+
         // Make sure the user has permission
-        if ( !req.user.can(check) )
+        if ( policy_denied || (!req.user.can(check) && !policy_access) )
             return res.status(401)
                 .message('Insufficient permissions.')
                 .api()