feat/enh: api keys user permission

breaking change, `ENABLE_API_KEY` renamed to `ENABLE_API_KEYS` and disabled by default and must be explicitly toggled on.

backend/open_webui/utils/auth.py

@@ -21,6 +21,8 @@ from typing import Optional, Union, List, Dict
 
 from opentelemetry import trace
 
+
+from open_webui.utils.access_control import has_permission
 from open_webui.models.users import Users
 
 from open_webui.constants import ERROR_MESSAGES
@@ -228,13 +230,17 @@ def get_current_user(
 
     # auth by api key
     if token.startswith("sk-"):
-        if not request.state.enable_api_key:
+        user = get_current_user_by_api_key(token)
+
+        if not request.state.enable_api_keys or not has_permission(
+            user.id,
+            "features.api_keys",
+            request.app.state.config.USER_PERMISSIONS,
+        ):
             raise HTTPException(
                 status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
             )
 
-        user = get_current_user_by_api_key(token)
-
         # Add user info to current span
         current_span = trace.get_current_span()
         if current_span: