Implement object based permissions

[jokiefer]

Environment

• Python version: 3.7
• MrMap version: v0.0.0

Proposed Functionality

The built in django permission handling should be enhanced by a object level permission handling from django-guardian.

• remove get_services()

• remove get_services_as_qs()

• remove get_metadatas_as_qs()

• remove get_datasets_as_qs()

• implement PermissionListMixin for all ListViews

• change from django PermissionRequiredMixin to PermissionRequiredMixin

Use Case

security benefit

Since #52, the permission handling is only model based. For example, a user could delete a group if he has the structure.remove_mrmapgroup permission in any case. We need also permission handling on object level. This means a user shall only be able to delete a group, if he has specific permissions for this specific group.

filter querysets benefit

With the PermissionListMixin the user will only see object for that he has permissions.

Database Changes

• add signals to create permissions on object creation

@armin11 The question we need to answer is: What should happen with all objects that are created by the group if the group is deleted. I think there are three options:

1. set created_by to orphaned group. --> only superuser can see/change/delete this objects
2. move all objects to new group. --> new delete process for some objects are needed. The new group grants all old rights
3. remove all objects

External Dependencies

django-guardian

[jokiefer]

As discussed with @armin11 we implement the following workflow if a group will be deleted:
If a group has dependencies (objects created_by the group), the group can not be deleted. The user will be forced to decide what to do with his objects. Two options:

1. move all objects to new group
2. remove all objects

[jokiefer]

I opened a issue to integrate this feature #63