[permissions] Enforce object-records permission checks in resolvers (#10304)

Closes https://github.com/twentyhq/core-team-issues/issues/393

- enforcing object-records permission checks in resolvers for now. we
will move the logic to a lower level asap
- add integration tests that will still be useful when we have moved the
logic
- introduce guest seeded role to test limited permissions on
object-records

packages/twenty-server/src/engine/workspace-manager/workspace-manager.service.ts

@@ -278,6 +278,17 @@ export class WorkspaceManagerService {
     if (workspaceId === SEED_APPLE_WORKSPACE_ID) {
       adminUserWorkspaceId = DEV_SEED_USER_WORKSPACE_IDS.TIM;
       memberUserWorkspaceId = DEV_SEED_USER_WORKSPACE_IDS.JONY;
+
+      // Create guest role only in this workspace
+      const guestRole = await this.roleService.createGuestRole({
+        workspaceId,
+      });
+
+      await this.userRoleService.assignRoleToUserWorkspace({
+        workspaceId,
+        userWorkspaceId: DEV_SEED_USER_WORKSPACE_IDS.PHIL,
+        roleId: guestRole.id,
+      });
     } else if (workspaceId === SEED_ACME_WORKSPACE_ID) {
       adminUserWorkspaceId = DEV_SEED_USER_WORKSPACE_IDS.TIM_ACME;
     }