Restrict resources returned by user permission

[RobOatesHistoricEngland]

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Description of Change

Apply permission checks for Related Resources, otherwise it was possible to see resources for which the user should not.

Updated the second reference of resource.to_json() in api.py's ResourceReport.get() method to include the user and perm parameters.

Updated resource.py's Resource.get_related_resources() method to remove related resources for which the user can't read the resource for both the related from and related to resource instance.

Issues Solved

#10131

Checklist

• Unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Ticket Background

• Sponsored by: Historic England
• Found by: @RobOatesHistoricEngland
• Tested by: @RobOatesHistoricEngland
• Designed by: @RobOatesHistoricEngland

Further comments

AB# 59588

[aj-he]

@chiatt please reassign as required.

[chrabyrd]

👋 @RobOatesHistoricEngland

Overall this looks good but there's a single issue preventing me from merging this in.

[chrabyrd]

👋 @RobOatesHistoricEngland

So this PR kicked off a small internal discussion on how to solve the problem of adding a permissions check to related_resources while maintaining performance and pagination logic. We ended up going a bit of a different direction than what you suggested, and you can see the changes in #10191 .

Since we decided to go a different direction, I'm going to close this PR for now. But I wanted to let you know how appreciated this contribution is and that it has had a measurable impact on the codebase. If you have the bandwidth please review #10191 and let me know if there's any changes that need to be made. Thanks again!