fix: property validation on some permission endpoints

packages/backend/src/routers/auth/grant-user-app.js

@@ -44,6 +44,12 @@ module.exports = eggspress('/auth/grant-user-app', {
         throw APIError.create('field_missing', null, { key: 'app_uid' });
     }
 
+    if ( ! req.body.permission ) {
+        throw APIError.create('field_missing', null, {
+            key: 'permission'
+        });
+    }
+
     const token = await svc_permission.grant_user_app_permission(
         actor, req.body.app_uid, req.body.permission,
         req.body.extra || {}, req.body.meta || {}

packages/backend/src/routers/auth/grant-user-user.js

@@ -21,6 +21,12 @@ module.exports = eggspress('/auth/grant-user-user', {
         throw APIError.create('field_missing', null, { key: 'target_username' });
     }
 
+    if ( ! req.body.permission ) {
+        throw APIError.create('field_missing', null, {
+            key: 'permission'
+        });
+    }
+
     await svc_permission.grant_user_user_permission(
         actor, req.body.target_username, req.body.permission,
         req.body.extra || {}, req.body.meta || {}