feat: permission permissions

Orgs can only grant permissions to groups that they themselves have been granted access to.

Super admin bypasses not added, flagged as todos.

src/iam/models.py

@@ -52,6 +52,10 @@ class Permission(Base):
 		"Group", secondary="group_permissions", back_populates="permission_rel"
 	)
 
+	org_rel = relationship(
+		"Organisation", secondary="org_permissions", back_populates="permission_rel"
+	)
+
 
 class Group(Base):
 	__tablename__ = "group"
@@ -95,3 +99,13 @@ class UserGroups(Base):
 	group_id = Column(
 		Integer, ForeignKey("group.id", ondelete="CASCADE"), primary_key=True
 	)
+
+
+class OrgPermissions(Base):
+	__tablename__ = "org_permissions"
+	org_id = Column(
+		Integer, ForeignKey("organisation.id", ondelete="CASCADE"), primary_key=True
+	)
+	permission_id = Column(
+		Integer, ForeignKey("permission.id", ondelete="CASCADE"), primary_key=True
+	)