implemented operation based permissions

core/lib/Controllers/UserSettingsController.php

@@ -23,7 +23,12 @@ class UserSettingsController extends ControllerAbstract
      * 
      * @return JsonResponse Settings data as key-value pairs
      */
-    #[AuthenticatedRoute('/user/settings', name: 'user.settings.read', methods: ['GET'])]
+    #[AuthenticatedRoute(
+        '/user/settings', 
+        name: 'user.settings.read', 
+        methods: ['GET'],
+        permissions: ['user.settings.read']
+    )]
     public function read(): JsonResponse
     {
         // Fetch all settings (no filter)
@@ -48,7 +53,12 @@ class UserSettingsController extends ControllerAbstract
      * 
      * @return JsonResponse Updated settings data
      */
-    #[AuthenticatedRoute('/user/settings', name: 'user.settings.update', methods: ['PUT', 'PATCH'])]
+    #[AuthenticatedRoute(
+        '/user/settings', 
+        name: 'user.settings.update', 
+        methods: ['PUT', 'PATCH'],
+        permissions: ['user.settings.update']
+    )]
     public function update(array $data): JsonResponse
     {
         $this->userService->storeSettings($data);