feat: permission permissions

Orgs can only grant permissions to groups that they themselves have been granted access to.

Super admin bypasses not added, flagged as todos.

test/conftest.py

@@ -10,7 +10,7 @@ from src.user.models import User
 from src.service.models import Service
 from src.organisation.models import Organisation as Org, OrgUsers
 from src.contact.models import Contact
-from src.iam.models import Group, Permission
+from src.iam.models import Group, Permission, OrgPermissions
 from src.auth.service import get_current_user, get_dev_user
 from src.auth.dependencies import empty_su_list, get_super_admin_list, testing_su_list
 from src.main import app  # inited FastAPI app
@@ -163,6 +163,9 @@ def _seed(db):
 	db.add(Service(name="Test Service", api_key="123456789"))
 	db.add(Permission(service_id=1, resource="test_resource", action="read"))
 	db.add(Permission(service_id=1, resource="test_resource", action="move"))
+	db.add(Permission(service_id=1, resource="test_resource", action="delete"))
+	db.add(OrgPermissions(org_id=1, permission_id=1))
+	db.add(OrgPermissions(org_id=1, permission_id=2))
 	db.add(Group(name="Org One Group", org_id=1))
 	db.add(Group(name="Org Two Group", org_id=2))
 	db.add(Group(name="Org One Group Two", org_id=1))

test/test_iam.py

@@ -437,7 +437,7 @@ async def test_post_perm_success(default_client: AsyncClient):
 	assert "permission" in data
 	assert isinstance(data["permission"], dict)
 
-	assert data["permission"]["id"] == 3
+	assert data["permission"]["id"] == 4
 	assert data["permission"]["service_name"] == "Test Service"
 	assert data["permission"]["resource"] == "test_resource"
 	assert data["permission"]["action"] == "create"