Add explicit permission checks

[bs-jokri]

From @heydenreich on November 23, 2016 10:45

When implementing permissions with shiro, only the "old" checks where replaced by new ones. But with shiro, you are able to specify new restrictions, e.g. restricted visibility for components. Those would not be respected in the current version of SW360. Therefore we need to add more explicit permission checks. Some places that I came across:

• visibility of components, releases, licenses, vendors, vulnerabilities when listing the overview table
• attachment actions are usually not requested separately, but allowed when editing the document is allowed, check whether attachment deletion is even allowed with reading permission of the document?
• the USERS-action is not used: discuss whether it should be used to add moderators etc to documents
• Check generation of moderation requests: currently users are added as moderators to a moderation request based on their role (clearing admin, admin), should this be not based on explicit permissions to write the document? NB: At the moment, not all users who are allowed to edit the document are used as moderators as well.

Copied from original issue: bsinno/sw360#350