Department Manager cross-department edit restriction not enforced (S2.10)

[andrewyager]

Description

Department Managers can currently edit assets belonging to other departments. The spec requires DMs to have read-only access to assets outside their department(s).

Spec Sections: S2.10, S10B (US-DM-002, US-DM-007, US-DM-014)
Severity: MEDIUM — permissions are too permissive
MoSCoW: MUST

What the spec requires

• DMs can view assets from any department (read-only)
• DMs can only edit/modify assets in their own department(s)
• After checking out an asset from another department, DM should not be able to edit it

What currently exists

The asset edit view does not check whether the logged-in DM's department matches the asset's department. All edit requests return 200 regardless of department membership.

Xfail Test Coverage (4 tests)

File	Test	Reason
test_dept_manager.py	TestUS_DM_002::test_dm_cannot_edit_other_dept_draft	DM cross-department edit restriction not enforced
test_dept_manager.py	TestUS_DM_007::test_dm_cannot_edit_other_dept_asset	DM cross-department edit restriction not enforced
test_dept_manager.py	TestUS_DM_014::test_dm_cannot_edit_other_dept_asset_after_checkout	DM cross-department edit restriction not enforced
test_dept_manager.py	TestUS_DM_002_ManageDraftsQueue_CrossDept::test_dm_cannot_edit_draft_from_other_department	DM can currently edit drafts in other departments

Branch: feature/test-reorganisation-and-functional-suite (PR #37)