Restrict access to /instance and /api endpoints

This change restricts access to the /instance and /api URLs to staff users, and users with InstanceManagerPermission.

JIRA tickets: Implements OC-1550

Screenshots:

Non-privileged users see Permission Denied for /api URLs:

Testing instructions:

1. Set up an opencraft devstack according to instructions in README.
2. Be sure to run make migrate, as this change introduces a new permission model.
3. Run automatic tests: make test
4. Set up users for manual tests: make shell

In [1]: from django.contrib.auth.models import User
In [2]: beta = User.objects.create_user('beta', 'beta@example.com', 'beta')
In [3]: staff = User.objects.create_user('staff', 'staff@example.com', 'edx')
In [4]: staff.is_staff = True
In [5]: staff.save()
In [6]: superuser = User.objects.create_user('superuser', 'superuser@example.com', 'super')
In [7]: superuser.is_superuser = True
In [8]: superuser.save()

1. With each user in [beta, staff, superuser]:
   • Visit http://localhost:5000, and click Login.
     • beta should redirect to /registration/
     • staff, superuser should redirect to /instance/
   • Visit http://localhost:5000/instance/:
     • beta should redirect to /registration/
     • staff, superuser should redirect to /instance/
   • Visit http://localhost:5000/api/
     • beta user should get 403
     • staff, superuser should get 200, and be able to navigate further
   • Click 'Logout' in between each user.
     • Should redirect to /registration/

Author notes and concerns:

1. make test_prospector's pylint tests were returning a number of no-member errors for inherited members of the new InstanceManagerPermission and InstanceManagerPermissionManager classes. Errors messages are visible in the initial CircleCI run.

   This appears to be a pylint-django bug, addressed by PR #74. I've suppressed the errors with commit efcbac2.

Reviewers

• @smarnach