add permission check for form productor and product

backend/src/forms/forms.py

@@ -32,7 +32,10 @@ async def get_forms_filtered(
 
 
 @router.get('/{_id}', response_model=models.FormPublic)
-async def get_form(_id: int, session: Session = Depends(get_session)):
+async def get_form(
+    _id: int, 
+    session: Session = Depends(get_session)
+):
     result = service.get_one(session, _id)
     if result is None:
         raise HTTPException(
@@ -48,6 +51,11 @@ async def create_form(
     user: models.User = Depends(get_current_user),
     session: Session = Depends(get_session)
 ):
+    if not service.is_allowed(session, user, form=form):
+        raise HTTPException(
+            status_code=403,
+            detail=messages.Messages.not_allowed('forms', 'update')
+        )
     try:
         form = service.create_one(session, form)
     except exceptions.ProductorNotFoundError as error:
@@ -61,10 +69,16 @@ async def create_form(
 
 @router.put('/{_id}', response_model=models.FormPublic)
 async def update_form(
-    _id: int, form: models.FormUpdate,
+    _id: int, 
+    form: models.FormUpdate,
     user: models.User = Depends(get_current_user),
     session: Session = Depends(get_session)
 ):
+    if not service.is_allowed(session, user, _id=_id):
+        raise HTTPException(
+            status_code=403,
+            detail=messages.Messages.not_allowed('forms', 'update')
+        )
     try:
         result = service.update_one(session, _id, form)
     except exceptions.FormNotFoundError as error:
@@ -82,6 +96,11 @@ async def delete_form(
     user: models.User = Depends(get_current_user),
     session: Session = Depends(get_session)
 ):
+    if not service.is_allowed(session, user, _id=_id):
+        raise HTTPException(
+            status_code=403,
+            detail=messages.Messages.not_allowed('forms', 'delete')
+        )
     try:
         result = service.delete_one(session, _id)
     except exceptions.FormNotFoundError as error: