Permissions : Define exceptions to standard group permissions (#1434)

[jamoore]

As a follow-up to #1434, an attempt should be made to outline the exceptions to the group-security system that has been put in place. E.g. what objects cannot exist in only one group? Two examples have already shown up:

• #1784 - scripts in the "system" group
• #1791 - user photos in the "user" group

==Discussion Mar. 22 (Ola, Jean-Marie, Josh):==

• the goal is a common-pot
  • the common-pot is an area to put objects which
    1. should be seen by all users
    2. can be linked to by all objects
• possible objects for the common pot: ratings (1-5), tags, scripts (#1784) , user photos (#1791)
• need to keep in mind uploading private scripts versus uploading public scripts
• need method for uploading user photos
• an alternative might be adding roles ("PUBLIC", etc.) but this will need more investigation

==Questions:==

• What does an owner of "user" group mean?
• Do we need a parameters item to filter out the common-pot?
• will these objects be allowed to have divergent permissions (not tied to the group) or is it even necessary since they have special handling?
• would it be possible to use the "WORLD" flag?

==Decisions:==

• move from using "system" and "user" group to only using "user" group for common-pot
• only admins can add to the common pot (add methods where necessary)
• we will wait on the parameter filter and decide on its need

[jmoore]

At least while testing (which happens often as root) this can be a good surprise:

omero=# select count(id) from image where group_id = 4054;
 count 
-------
     4
(1 row)

omero=# select count(id) from image where group_id = 4054 OR group_id = 0;
 count 
-------
 51549
(1 row)

so that:

srvFactory.setSecurityContext(someSmallGroup);
iQuery.findAll("Image", None);

can return 50K+ images.

[jmoore]

Merging #1784 and #1791