Better handling of "multi-action" views

[ian-ross]

If you have something like a DRF ListCreateAPIView, how do you permission it? The GET handler is for listing objects, the POST handler for creating them. Perhaps the permission_required attribute in PermissionRequiredMixin should take a dictionary mapping HTTP methods to permissions?

[oliverroick]

For organisations API views, I had to implement a Django Rest Framework specific PermissionRequiredMixin, because permission verification is different in DRF. The mixin also handles permissions for multi-action views (mixin code).

Usage:

class OrganisationList(APIVIew):
    permission_required = {
        'GET': 'org.list',
        'POST': 'org.create'
    }

[ian-ross]

Here, I'm going to pull the permissions features that @oliverroick has implemented in Cadasta/cadasta-platform#64 into django-tutelary, adding some additional options to the actions attribute for permissioned models and the permission_required attribute in the PermissionsRequiredMixin. In particular, as well as Oliver's dictionary-based approach to permissions for "multi-method" views, I'll also add the option of providing a callable at various places in permission_required to allow for a more flexible approach to deciding what permissions are needed in a view.