refactor access token controller

• added methods has and hasAny to Permissions class
• moved permission checks to abstract controller
• implemented new permission checks from abstract in access token controller
• split the actions of checking any or specific permissions