Move from simple roles to permissions and roles

[anjackson]

The current implementation hard-codes particular actions to particular roles, e.g. "only 'archivist' can send license requests". This is very inflexible. It is much more common to separate these things out as a permissions and roles matrix. In this model, the code for different actions only checks if the current user has that permission, e.g. "only users with the 'can send license requests' permission can view this page" . Which users and roles have which permissions can then be managed separately, where each role has a set of permissions, and even at the level of granting individual users a single additional permission, if needed.

This is quite a large, invasive change, and would need a lot of care. It would involve:

• Creating new table(s) for mapping roles and users to permissions.
• Removing the user.hasRole method and any related methods (e.g. scanning for all mention of roles), so that all existing permissions logic become compilation errors.
• Adding new user.hasPermission(Permission.CAN_SEND_LICENSE_REQUESTS) logic to the User class and in every place permissions are used.

If there's any chance that we might move to a new platform anytime soon, it would make more sense to include this as a requirement for that rather than hacking W3ACT.