Sort out permissions across all components

• unstage - oais.can_unstage or superuser
• execute step - oais.can_access_all_archivesor creator
• get_objects_for_user(user, "oais.view_archive") - but no mechanism to assign this? see assign_perm https://django-guardian.readthedocs.io/en/stable/api/guardian.shortcuts.html
• by default every archive is restricted , no mechanism to change it?
• download_artifact - only if creator, otherwise 401
• list of archives - starting queryset is the one the user has created, even for superusers
  • there are 2 endpoint to get it: by user and from Archives and they have diff results
• Groups are not used - check if we need it?
• archive_save_manifest - permission
• create/delete permissions are missing?
• see staging area - if user is creator for archive --> superusers can't see to approve?
• add_to_staging_area - no permission?
• archive_action_intersection - permissions not checked?

From backend:

# If the user has the 'oais-admin' claim (the CERN account is in the 'oais-admin' e-group) or the 'can-create-archive' one (the CERN account is in the 'dmp-create-archives' e-group) give them the 'can_unstage' permission

Todo:

• Verify if cern_roles are in claims (it doesn't seem so)
• Make sure superusers can de anything - download, execute steps etc.
• Do we need functionalities to change archive restrictions and assign access to specific users?
• List archives - maybe reduce to one endpoint to avoid confusion (ArchiveViewSet, UserViewSet)
• archives_details (only owned), archive_steps, archive_next_steps, archive_tags,archive_save_manifest not checked if user has access to archive?
• while check permission in serializer? can check before to reduce payload
• consolidate using BadRequest("Unauthorized")/401/403
• why do we have 2 endpoint for unstaging?
• UI don't show staged records confirm button if no permission to confirm
•