add dedicated source permission (& extra django admin view perms)

[eviljeff]

Fixes: mozilla/addons#15929

Description

The main change is source downloads now have a dedicated permission - enforced in the download view, and used to gate the link in the reviewer tools. Additionally 2 additional view-only permissions have been added to django admin.

Context

I've asked in the issue if a migration is needed to add the new permission to existing groups. Adding it manually is pretty easy too.

Testing

• Login with an admin user (*:*)
• Navigate to a review page for an add-on with sources for a version
  • to set one up, upload a new version for an add-on, and upload the source zip as part of the new version flow in developer hub.
• see there is a link to download the source; clicking the link downloads the source.
• Logout and login with a user without *:*
  • give them reviewer permission if necessary - Addons:Review
• Navigate to the same review page, see the link isn't there, and trying to go directly to the link (from your history) returns a permission error
• Logout that user; give them Addons:SourceDownload; login
• Navigate to the same review page, see the link is present, and clicking the link downloads the source

New django admin permissions

Testing isn't usually isn't necessary, but if you want,

• Addons:AdminView for viewing Addons in django admin (read-only view only)
• Collections:AdminView for view Collections in django admin (read-only view only)

Checklist

• Add #ISSUENUM at the top of your PR to an existing open issue in the mozilla/addons repository.
• Successfully verified the change locally.
• The change is covered by automated tests, or otherwise indicated why doing so is unnecessary/impossible.
• Add before and after screenshots (Only for changes that impact the UI).
• Add or update relevant docs reflecting the changes made.

[diox]

r+ but need to update docstrings/comments