feat: check for client match on GET endpoint of permits and processed

src/permit/permit.service.ts

@@ -91,15 +91,20 @@ export async function createPermit(
   }
 }
 
-export async function getPermit(permitId: string, tenantId: string) {
-  return await permitModel
+export async function getPermit(permitId: string, user: AuthenticatedUser) {
+  const permit = await permitModel
     .findOne({
-      $and: [{ tenantId: tenantId }, { pid: permitId }],
+      $and: [{ tenantId: user.tenantId }, { pid: permitId }],
     })
     //.populate({ path: "county", select: "pid name avatar" })
     //.populate({ path: "client", select: "pid name avatar" })
     .populate({ path: "assignedTo", select: "pid name avatar" })
     .populate({ path: "createdBy", select: "pid name avatar" });
+
+  if (permit && user.role == "client" && user.orgId != permit.client.toString())
+    return null;
+
+  return permit;
 }
 
 export async function listPermits(