[#149] Restrict access to drawings and organisations

[krissy]

This updates the permissions around viewing, editing or deleting drawings, restricting access to Super Admins OR those within the same organisation.

It also restricts viewing, editing or deleting Organisations to Super Admins only.

NB: At this time, all of the urgent role permissions we need for a next pilot involving a second organisation are implemented. However, the Org Admin level is still exactly the same as a normal admin, so there is still a separate ticket (TODO write up) / task left to adjust Org Admin levels to allow them to access and create users - but only in their organisation. Super Admins will need to add new users in the meantime.

Addresses issue: #149

What this does

• [x] Viewing drawings index:
  • [x] Add a new scope to the Drawing model to filter drawings by org ID
  • [x] Update the Drawings controller to restrict to super admins or use the new scope
• [x] Viewing/updating/deleting a single drawing:
  • [x] Update the Drawing model with two methods checking view and edit rules, taking into account user role and organisations
  • [x] Update the drawings controller to use the new model methods above, redirect to homepage with appropriate errors if access is denied
• [x] Restrict all Organisation access to Super Admins only with authorize method

Screenshots

Super admin (access to all drawings and orgs):

Admin or Org admin (access to all drawings within org + no access to edit orgs):

Attempt to view an unauthorized drawing by accessing URL directly:

Attempt to edit/delete an unauthorized drawing by accessing URL directly:

Attempt to access/edit organisations when unauthorized

[CathMollie]

All worked for me. As an Admin user, I:

• COULD NOT see other Orgs
• COULD NOT see other users outside my Org
• COULD NOT access drawing URLs I was not authorised to see (rejected after sign-in)
• COULD see drawings by Superuser plus other Admin in my Org
• COULD edit and delete drawings by Superuser plus other Admin in my Org