Check the authorization logic in RA management

[phavekes]

This issue is imported from pivotal - Originaly created at Feb 4, 2019 by bstrooband

The built in authorization checks (checking if a user is RAA (denyunlessgranted)) might not work as intended. As an RA user might be RA for institution-a and RAA for institution-b. The built in voter merely checks against the role that is stored in the auth identity.

[phavekes]

@bstrooband can you be more specific in the story? I assume you refer to the one remaining voter; `AllowedInOtherInstitutionVoter`? (Michiel Kodde - Feb 7, 2019)

[phavekes]

This is indeed that only voter, maybe we are safe because this is checked in MW but I think we should validate that assumption. (bstrooband - Feb 8, 2019)

[phavekes]

I\'ve added tests and checked the RA endpoints. I had to add the actorId to the ra listing endpoint to filter on authorization context in MW and I fixed

Clientbundle https://github.com/OpenConext/Stepup-Middleware-clientbundle/pull/79

MW: https://github.com/OpenConext/Stepup-Middleware/pull/267

RA: https://github.com/OpenConext/Stepup-RA/pull/203

deploy: https://github.com/OpenConext/Stepup-Deploy/pull/81

(bstrooband - Feb 14, 2019)

[phavekes]

Finished review (Michiel Kodde - Feb 18, 2019)