@mob I found a challenge on this. I think that guards are executed in order in NestJS. If I wrap the controller in the @UseGuards(PermissionsGuard) it fails because the AuthGuard is the one that injects the user object into the Execution Context. But AuthGuard would be called at the endpoint-level – after
PermissionsGuard.
I tried your other suggestion on modeling the PermissionsGuard to take the required permissions as parameter but that fails unless I remove the @Injectable() from the PermissionsGuard definition and when the guard is used, I always have to start it with new. I re-read some of the docs and it seems to me that NestJS wants you do specify this type of metadata (permimissions required, roles, etc.) outside of the guard and rather have the guard consume it. 
What do you think?