[Feature Request] Extend API security layers with Collaboration scope

[frankcorneliusmartin]

Problem description
Currently it is not possible to edit settings on a Collaboration level. In practice this is usually needed and currently these kind of collaboration admins receive too much permission on the server.

Desired solution
Currently the main scopes we are using are organization and global. The idea is to add a scope collaboration for all endpoints. The main advantage is that non-superadmin users can manage collaborations without seeing everything on the server

[bartvanb]

Resources todo:

• User: CRUD
• Organization: U (delete doesn't exist, create makes no sense - same rule as global)
• Role: CRUD
• Node: CRUD
• Task: D (update doesn't exist, create and read makes no sense - same as organization scope)
• Task: modify organization delete, and create rule for deleting own tasks
• Task: change organization scope create+view to collaboration, as that is the actual level
• Run: R -> change org scope to col
• Result: R -> change org scope to col
• Collaboration: add option to only edit/delete collaborations you are part of yourself
• Port endpoint will be deleted in v4 so we don't do that one
• Extend the permission checks on the requests generating lists of the resources above
• Check if this needs to be done for double endpoints - which do we keep in v4?
• Test / check if unit tests are OK
• Add new permissions to unit tests
• Add rules to default role
• Adapt UI

[frankcorneliusmartin]

Tested with the UI:

✅ User: CRUD
✅ Organization: U (delete doesn't exist, create makes no sense - same rule as global)
🟥 You did create them for read
✅ Role: CRUD
✅ Node: CRUD
✅ Task: D (update doesn't exist, create and read makes no sense - same as organization scope)
Task: modify organization delete, and create rule for deleting own tasks
Task: change organization scope create+view to collaboration, as that is the actual level
Run: R -> change org scope to col
Result: R -> change org scope to col
Collaboration: add option to only edit/delete collaborations you are part of yourself
❓ Port endpoint will be deleted in v4 so we don't do that one
Extend the permission checks on the requests generating lists of the resources above
Check if this needs to be done for double endpoints - which do we keep in v4?
✅ Test / check if unit tests are OK
✅ Add new permissions to unit tests
✅ Add rules to default role -> checked all permissions of the default roles
✅ Adapt UI

[bartvanb]

Check comments above

• Check read rule organizations
• Add collaboration scope for /vpn/algorithm/addresses

[bartvanb]

• as indicated above, I created a 'read organizations from collaboration' rule while I indicated to only create 'update orgs from collab'. However, the rule should be created so all is well.
• We don't need to add a collaboration scope for /vpn/algorithm/addresses as the endpoint is only accessible for containers and the endpoint only returns addresses from the container's own task (so no rules are used).