fix: user scope assertion

Author: eveffer

deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@inspatial/cloud",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "license": "Apache-2.0",
   "exports": {
     ".": "./mod.ts",

src/extension/core-extension.ts

@@ -191,6 +191,7 @@ export const coreExtension = new CloudExtension("core", {
         create: false,
         delete: false,
       },
+
       user: {
         view: true,
         modify: false,

src/orm/entry/entry.ts

@@ -111,6 +111,8 @@ export class Entry<
   }
 
   async load(id: IDValue): Promise<void> {
+    const role = this._inCloud.roles.getRole(this._user?.role as string);
+    const userScopeField = role.entryPermissions.get(this._name)?.userScope;
     this.assertViewPermission();
     this._data.clear();
     this._modifiedValues.clear();
@@ -127,6 +129,13 @@ export class Entry<
       if (!this._fields.has(key)) {
         continue;
       }
+      if (key === userScopeField && value !== this._user?.userId) {
+        raiseORMException(
+          `You do not have permission to view this ${this._entryType.config.label}`,
+          "PermissionDenied",
+          403,
+        );
+      }
       const fieldDef = this._getFieldDef(key);
       const fieldType = this._getFieldType(fieldDef.type);
       this._data.set(key, fieldType.parseDbValue(value, fieldDef));

src/orm/migrate/cloud-migrator.ts

@@ -144,9 +144,6 @@ export class InCloudMigrator extends InCloud {
   async #syncFieldMeta(orm: InSpatialORM) {
     const adminRole = orm.roles.getRole("systemAdmin");
     const skipFields = new Set<string>([
-      "id",
-      "createdAt",
-      "updatedAt",
       "in__tags",
     ]);
     const syncFields = async (