Add a temporary and read-only access level

[noah-schechter]

Current Atlos offers four permissions levels:

• Viewer
• Editor
• Manager
• Owner

Proposed Partners have proposed a fifth, temporary and read-only level. This tier, which I'll call Guest for the purpose of this issue (real name to come) would be different from Viewer in several ways:

• Guests' access would be time boxed—projects owners would be able to set an end date on outsiders' access. Viewers, on the other hand, have permanent access to projects unless their access is actively revoked by an owner.
• Guests wouldn't have access to CSV download. While a sufficiently motivated actor could use access to the web interface to reconstruct a CSV; blocking access to CSV download makes it much more challenging for outside partners to retain access to a project's data after they lose access to the project itself.

Not that blocking access to CSV download will add some tricky edge cases—a user who is a guest in one project and a viewer of another wouldn't be able to download all of the data returned for a search across both projects; we'll need to figure out how to explain this situation concisely.