Summary: fix/clarify behavior of list permission

[ebruchez]

Access to the Summary page is tricky:

• for 2022.1, we made a change to require the create permission to access the Summary page:
  • Summary page to require permission to create data, in addition to permission to access own data #5249
• for 2022.1 as well, we added the list permission, with the goal of allowing completely disabling the Summary page via permissions
  • New list permission to protect Summary pages #5397
  • we wanted to have backward compatibility by implying list
  • see the doc

Now, we had a question from a user whereby it seemed that with 2021.1.x, users could access the Summary page, but with 2023.1.x, they can no longer. The permissions in the form look like this:

<permissions>
    <permission operations="read update delete">
        <owner/>
    </permission>
    <permission operations="create">
        <user-role any-of="my-role"/>
    </permission>
</permissions>

The UI that matches the above:

Now, the Summary page doesn't look at the data-based ("Owner", etc.) permissions at all to check the list permission. In fact, showing these checkboxes is considered a bug/regression (#5864).

Instead, the Summary page checks the list permission exclusively based on the other lines:

• Anyone/Require token
• Any authenticated user
• Roles

This issue clarifies the above, but also suggests that maybe we should do more to help with the Summary page access. We discussed with @avernet, in particular:

1. that maybe we should revive an "optimistic" permission check for the Summary page
   • if we don't have a `list permission otherwise
   • then if any of the data-based permissions has list, we show the page, otherwise we reject access
   • this said: this won't be possible if we hide/make readonly the list checkboxes for data-based permissions
2. OR that maybe we should consider that the "Any authenticated user" line with list should be implied in some cases
   • but how?

+1 from customer

[avernet]

Here is a slightly revised version of what we discussed this morning:

• In the Permissions dialog, the "List" checkbox remains available for the "Owner" line.
• Checking or unchecking "List" for "Any authenticated user" automatically checks or unchecks "List" for the owner, and vice versa.
  • When the dialog opens, if only one of the checkboxes is selected, the other is automatically "forced-checked."
• At runtime, <permission operations="..."> without -list for <owner/> is interpreted as allowing any authenticated user to list (consistent with how we handle <any-authenticated-user/>).

Benefits:

• The behavior is backward compatible with version 2021.1 (before the introduction of the "List" checkboxes and the subsequent "fix" for Summary page to require permission to create data, in addition to permission to access own data #5249).
• Form authors can control whether authenticated users with other permissions can also access the summary page.