[permissions] Enforce object-records permission checks in resolvers (#10304)

Closes https://github.com/twentyhq/core-team-issues/issues/393

- enforcing object-records permission checks in resolvers for now. we
will move the logic to a lower level asap
- add integration tests that will still be useful when we have moved the
logic
- introduce guest seeded role to test limited permissions on
object-records

packages/twenty-server/src/engine/metadata-modules/role/role.service.ts

@@ -56,4 +56,23 @@ export class RoleService {
       workspaceId,
     });
   }
+
+  // Only used for dev seeding and testing
+  public async createGuestRole({
+    workspaceId,
+  }: {
+    workspaceId: string;
+  }): Promise<RoleEntity> {
+    return this.roleRepository.save({
+      label: 'Guest',
+      description: 'Guest role',
+      canUpdateAllSettings: false,
+      canReadAllObjectRecords: true,
+      canUpdateAllObjectRecords: false,
+      canSoftDeleteAllObjectRecords: false,
+      canDestroyAllObjectRecords: false,
+      isEditable: false,
+      workspaceId,
+    });
+  }
 }