feat: check for client match on GET endpoint of permits and processed

src/processed/processed.route.ts

@@ -68,7 +68,7 @@ export async function processedRoutes(fastify: FastifyInstance) {
       const { permitId } = req.params as { permitId: string };
 
       try {
-        const permit = await getProcessedPermit(permitId, req.user.tenantId);
+        const permit = await getProcessedPermit(permitId, req.user);
         return res.code(200).send(permit);
       } catch (err) {
         return err;

src/processed/processed.service.ts

@@ -16,13 +16,21 @@ import { createAlert } from "../alert/alert.service";
 import { getUser } from "../user/user.service";
 import { orgModel } from "../organization/organization.schema";
 
-export async function getProcessedPermit(permitId: String, tenantId: String) {
-  return await processedModel
+export async function getProcessedPermit(
+  permitId: String,
+  user: AuthenticatedUser
+) {
+  const permit = await processedModel
     .findOne({
-      $and: [{ tenantId: tenantId }, { pid: permitId }],
+      $and: [{ tenantId: user.tenantId }, { pid: permitId }],
     })
     .populate({ path: "assignedTo", select: "pid name avatar" })
     .populate({ path: "createdBy", select: "pid name avatar" });
+
+  if (permit && user.role == "client" && user.orgId != permit.client.toString())
+    return null;
+
+  return permit;
 }
 
 export async function updateProcessed(