there wasn't authorization logic in the application services that wasn't backed by SpiceDB