Implement private workspaces and ACLs

MUST: Implement private workspaces and associated access control rules on all the API and interfaces

• Needed for embargoed security updates

Related blueprints:

• Permission management
• Transitioning to scoped URLs

Base infrastructural issues:

• #486 (closed) Add scopes
• #487 (closed) Scoped groups
• #488 (closed) Implement ApplicationContext
• #493 (closed) Encode scope in Debusine URLs
• #491 (closed) Implement a way to get the current scope
• #503 (closed) Implement scope support in debusine-client
• #504 (closed) Document the procedure to migrate to scopes

Scope management:

• #499 (closed) Create a management command to rename a scope
• #513 (closed) Create initial set of roles for Scope
• #528 (closed) Add a permision check for Scope visibility

Group management:

• #507 (closed) UI to manage groups in a scope
• #506 (closed) Add an interface to add/remove users to/from a group
• document scope/group as a naming scheme

Workspace management:

• #527 (closed) Add a management command to manage workspaces in a scope
• #489 (closed) Add roles for existing use cases
• #490 (closed) Implement workspace visibility permissions
• #536 (closed) Refactor debusine.db.models.workspaces.Workspace.get_collection to use permissions
• document scope/workspace as a naming scheme

Add permission checks:

• !1267 (merged): Check that a user has permission to create a workspace
• !1271 (merged): Set current workspace (and check can_display) in views with a workspace as parameter
• TODO: this is a significant refactoring of existing code, to be planned once we have at least some role checking working