The Topicmaps module broadcasts addTopicToTopicmap/addAssocToTopicmap websocket messages to all connected clients. Thus a topic/assoc might become visible on a topicmap even if the user lacks READ permission.

This happens e.g. when private topics/assocs are revealed on a shared topicmap.

Fix: for every websocket connection check if the associated user has READ permission for the topic/assoc. Only send message if so.

This is a follow-up of https://git.dmx.systems/dmx-intern/sprint-planning/-/issues/214#note_15396

Thank you @jpn for reporting!
@mukil FYI