Permissions : Prevent inappropriate permission changes in IObjects

[jamoore]

This ticket is a part of #1434

With group security, the permission column for all IObjects other than ExperimenterGroup is largely obsolete (and may be removed in future versions). However, as long as the field exists, we should guarantee that it isn't inappropriately changed. (Note: changes to the SecurityFilter in #1771 already ignore the row-level permissions for most things)

• all READ permissions should be synced with the group permissions.
• WRITE permissions will continue to be used for the present.

[jmoore]

r6052 contains a check that guarantees that READ permissions for GROUP & WORLD are identical with those of the group object. (We still haven't decided what ------ means, so it's not being checked for.)

[jmoore]

r6054 matches all READ and WRITE permissions to match that of the group. (i.e. no individual object modifications are allowed). Instead, wider changes are permitted via changePermissions(ExperimenterGroup)

[jmoore]

r6056 includes a fix for IAdmin.updateGroup so that if permissions are non-null, then changePermissions() will be called internally.

[jmoore]

r6058 fixes an issue in updateGroup() when permissions have been modified.

[jmoore]

Note: it may be of use for clients to generally use the group.getDetails().getPermissions() or the eventContext.groupPermissions objects as a basis for creating new permissions to prevent mistakes. For example, --r--- is not a valid permissions object so the following code will (currently) fail:

 p = omero.model.PermissionsI()
 p.setGroupRead(True)
 iAdmin.changePermissions( myGroup, p)

[jmoore]

r6107 removes a last "NYI" related to the previous comment. We may want to expand the supported ​transitions later, but closing for now.

[jmoore]

(In [6831]) see #1776 - Removing explicit permissions from omero.client.upload

[jmoore]

see #2873