Change meaning of ip/identities for update/delete

[nichtich]

copied from this comment to an independent issue

This comment would make sense, not just for mappings/concordances, but for all entities:

• "For create and read, the properties ips and identities mean that only those identities/IPs can perform that action."
• "For update and delete, a user can always perform that action if they are authorized and the creator of that particular entity. If ips and/or identities is set for these actions, those IPs/identities can additionally update or delete entities which belong to no creator URI."
• This would mean that we could give someone basically partial superuser powers by adding their identity to identities in update/delete.

[nichtich]

Sounds good, but wait until we actually need it. This may clash with creator and contributor at least when a user is not logged in but only get's privileges via ip.

[stefandesu]

Makes sense, better wait for a use case, but keep this solution in mind. 👍

[nichtich]

In https://github.com/gbv/cocoda/issues/693 we want selected users to be able to delete items of other creators for cleanup (no update!). So we could change implication of config key identities at delete so all accounts listed there can delete all items. Disadvantage: this may be confusing and it is not possible to configure a jskos-server instance for a set users, each editing their own items.

Better close this original issue and add a crossIdentities key for action update and delete:

• crossIdentities: List of URI strings. Can be defined only on update and delete actions when auth is true. Allows users with an URI given in the list to edit an entity from a different user than the authenticated one.

[stefandesu]

We could also just used the existing crossUser key and allow it to be a list of URI strings (in addition to a boolean value). Its description matches exactly what we want and there would be no need to add a new config key.

[stefandesu]

Closed in favor of #184.