Restrict new/modified Janeus roles

[trolando]

Currently someone who can make Janeus role can assign/remove permissions that they themselves don't have. This allows anyone who can modify a Janeus role to assign themselves all permissions. This is basically a security problem. They can also modify roles of others to remove permissions that they themselves do not have.

So far, we have been aware that this is an issue, but currently not a priority to repair. However, this should be done at some point.

One open question is how to know what permissions the current user has on other sites than the current site. One possibility is to simply only consider permissions given by Janeus, or the superuser flag in the admin (to allow everything).

More formally, the permission system works as follows:

• For a given JaneusRole object r, let SITES(r) be all sites in the database if r.sites is empty, and r.sites otherwise.
• For a given JaneusRole object r, let PERMS(r) be the selected permissions (in r.permissions) plus the permissions of each selected Group (in r.groups).
• Then JaneusRole r assigns permission p on site s, if p is in PERMS(r) and s is in SITES(r)
• Let u be a user and ROLES(u) be the set of LDAP roles of user u. Then user u has permission p on site s, if there is a JaneusRole r, with r.role in ROLES(u), that assigns permission p on site s.

Then the administrator can only add or remove permission p on site s for some user, if the administrator also has that permission on that site, or if the administrator is a superuser.