chore(permissions): item and holdings

Access to the resource was limited to the current organisation.
This protects sensitive data on professional view.

Co-Authored-by: Bertrand Zuchuat <[email protected]>

projects/admin/src/app/routes/base-route.ts

@@ -137,6 +137,20 @@ export class BaseRoute {
     };
   }
 
+  /**
+   * Can read record
+   * @param record - the record
+   * @returns Observable boolean
+   */
+  protected canRead(record: any) {
+    const organisationPid = this._routeToolService.userService.user
+      .currentOrganisation;
+    const recordOrganisationPid = ('organisation' in record.metadata)
+      ? record.metadata.organisation.pid
+      : false;
+    return of({ can: organisationPid === recordOrganisationPid, message: '' });
+  }
+
   /**
    * Expert search link
    * @return string, link of help page
@@ -153,3 +167,4 @@ export class BaseRoute {
       : defaultPath;
     }
  }
+

projects/admin/src/app/routes/holdings-route.ts

@@ -61,6 +61,7 @@ export class HoldingsRoute extends BaseRoute implements RouteInterface {
               }
             },
             detailComponent: HoldingDetailViewComponent,
+            canRead: (record: any) => this.canRead(record),
             canAdd: () => of({ can: this._routeToolService.permissionsService.canAccess(PERMISSIONS.HOLD_CREATE) }),
             permissions: (record: any) => this._routeToolService.permissions(record, this.recordType, true),
             preCreateRecord: (data: any) => {

projects/admin/src/app/routes/items-route.ts

@@ -74,6 +74,7 @@ export class ItemsRoute extends BaseRoute implements RouteInterface {
             preFilters: {
               organisation: null
             },
+            canRead: (record: any) => this.canRead(record),
             canAdd: () => of({can: false}),
             permissions: (record: any) => this._routeToolService.permissions(record, this.recordType, false),
             preprocessRecordEditor: (record: any) => {