Custom permission for uploading sources

[alexhebing]

As part of release/0.0.3, I prevented newly registered users (who don't have staff status) from uploading sources. See commit ec4f04e. This involved removing the Upload button from the menu, and requiring IsAdmin permission on the backend. Non staff members will never upload sources. Guaranteed.

However, if the non-staff user goes to the /upload url, she will still see the form (if she tries to upload a source she will receive an error message). Do we want some sort of mechanism in place to prevent this type of thing?

@jgonggrijp : what do you think?

[jgonggrijp]

I think two things:

1. Whether somebody can upload sources should be a separate permission, rather than depend on staff status. But I understand you probably have the same opinion on this and just went for the current approach as a quick solution.
2. Yes, we do want to have some sort of mechanism in place to prevent users from seeing things that don't work for them.

We might use a state machine for this, but I'm open to other suggestions.

[alexhebing]

Yes, I agree a custom permission would be better. Changed the title of the issue accordingly. I'm not sure how a state machine would contribute here, it feels more intuitive to me to simply have a list of permissions in the user object. But let's discuss this when starting work on the issue.

[jgonggrijp]

Well maybe I can already clear up some confusion. I think the user object should contain a list of permissions, too. The state machine would serve to prevent huge trees of if/else everywhere.

[jgonggrijp]

Implemented long ago.