Allow defining read-only users
We've realized after deploying the app that there are users that might be interested at least in read-only access. So the plan is as follows:
- change the code so that we can define a singular read-write group, that will be checked with mod_auth_cas headers like x-cas-memberof. Only users in that group will be able to write to the datastore and see the read-write features of the app.
- Modify the puppet code to configure CAS so that it allows all users in group 'wmf' to see the rules, but only users in group 'ops' to modify objects.