Check user permissions correctly

What does this MR do?

In !22688 (merged) we introduced returning meaningful errors when adding one epic at time. We, however, missed checking user permissions in that case.

It is not a big issue as we check it in the controller, but we should keep consistency with other services and make sure here that a user has permissions.

This MR adds a check for permissions for both cases (one epic added/multiple epics added)

Does this MR meet the acceptance criteria?

Conformity

• [-] Changelog entry
• [-] Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• [-] Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.