Add permissions to SyncStatus model.

[rtibbles]

Summary

• Adds very simple read only + same facility permissions to the sync status model

---

Testing checklist

• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Critical and brittle code paths are covered by unit tests

PR process

• PR has the correct target branch and milestone
• PR has 'needs review' or 'work-in-progress' label
• If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
• If this is an important user-facing change, PR or related issue has a 'changelog' label
• If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[jamalex]

The model contains a foreignkey onto SyncSession, which means it directly stores the sync session ID, which is used as the "session token" (like a browser session_id cookie) for purposes of syncing -- if the syncsession is still active, anybody with that ID can sync within the scope of that sync session, without further certificate verification.

I'm not seeing anywhere in the codebase yet that pulls this model in to display in the frontend, but I'd recommend that it not send the sync session ID as part of that, instead just looking up the relevant fields (e.g. last_activity timestamp) across the foreignkey. If that were enforced, then it would perhaps be OK to leave these permissions as-is. But the safest would be to only allow access for someone who's a coach or admin for the target user.

[jamalex]

Cool, thanks!