[permissions] Enforce object-records permission checks in resolvers (#10304)

Closes https://github.com/twentyhq/core-team-issues/issues/393

- enforcing object-records permission checks in resolvers for now. we
will move the logic to a lower level asap
- add integration tests that will still be useful when we have moved the
logic
- introduce guest seeded role to test limited permissions on
object-records

packages/twenty-shared/src/constants/StandardObjectRecordsUnderObjectRecordsPermissions.ts

@@ -0,0 +1,7 @@
+export const STANDARD_OBJECT_RECORDS_UNDER_OBJECT_RECORDS_PERMISSIONS = [
+  'person',
+  'company',
+  'opportunity',
+  'note',
+  'task',
+];

packages/twenty-shared/src/constants/index.ts

@@ -1,6 +1,6 @@
 export * from './FieldForTotalCountAggregateOperation';
 export * from './PermissionsOnAllObjectRecords';
 export * from './SettingsFeatures';
+export * from './StandardObjectRecordsUnderObjectRecordsPermissions';
 export * from './TwentyCompaniesBaseUrl';
 export * from './TwentyIconsBaseUrl';
-

packages/twenty-shared/src/utils/index.ts

@@ -1,5 +1,5 @@
 export * from './fieldMetadata';
 export * from './image';
+export * from './permissions';
 export * from './strings';
 export * from './validation';
-export * from './validation';

packages/twenty-shared/src/utils/permissions/index.ts

@@ -0,0 +1 @@
+export * from './isObjectRecordUnderObjectRecordsPermissions';

packages/twenty-shared/src/utils/permissions/isObjectRecordUnderObjectRecordsPermissions.ts

@@ -0,0 +1,16 @@
+import { STANDARD_OBJECT_RECORDS_UNDER_OBJECT_RECORDS_PERMISSIONS } from 'src/constants';
+
+export const isObjectRecordUnderObjectRecordsPermissions = ({
+  isCustom,
+  nameSingular,
+}: {
+  isCustom: boolean;
+  nameSingular: string;
+}) => {
+  return (
+    isCustom ||
+    STANDARD_OBJECT_RECORDS_UNDER_OBJECT_RECORDS_PERMISSIONS.includes(
+      nameSingular,
+    )
+  );
+};