device report submission endpoint does not check permissions

[karenetheridge]

Similarly to https://github.com/joyent/conch/issues/561, any user can submit a device report, for a new or existing device. When a device already exists, current data is overwritten with the new values in the report, so data loss can definitely occur.

We should check permissions in some fashion. We can't do it the same as we would do in #561 for all other /device/:id endpoints:

The normal logic is thus:

• if the device has a location (rack_id + rack_unit_start), we use that rack to look for permissions on the workspaces containing the rack
• if the device doesn't have a location, we look for device_relay_connection and user_relay_connection entries.

Whether the device exists or not (on report receipt), we can look for device_relay_connection and user_relay_connection entries. That should probably always be done, as relays should always be registering themselves with the API before submitting reports.

If the device exists, and it has a location, we can also do the workspace permission check. Should we?

If the device exists and has no location, should we be even accepting the report?

[perigrin]

I think this is actually a bug but for a feature we're moving into the DCIM system. We need to have a conversation still about the permission system on the devices in the DCIM system, but it will likely be something like this.

[karenetheridge]

Now that a device must exist (with a build id) before a report can be submitted, we can now insist on the relay user having 'rw' permission on the build.