Feature/570/restrict patch post fields for user request

[ethanstrominger]

Fixes #570

Overview

See #346 for overview of security. This PR checks the fields in user post and patch requests are permitted. It compares a list of permitted fields to the fields in the request

Tests

Automated tests created

Files changed

Implementation

1. Added files for core patch and post field validation:

• access_control.py
• field_permissions.csv
• has_user_permissions.csv
• validate_request.py

2. views.py: Modified views.py to include permission defined in has_user_permissions.py

Seeding Test Data

1. Created new directory test_data for scripts to populate these test data. Populating the database before the test process kicks in is efficient. I tried as fixtures that execute once for a test run before any testing, got it to work once, but then it gave an exception.
2. I tried as fixtures, got it to work once, but then it stopped working.
3. 0001_populate_test_user_permission.py
4. utils/seed_constants.py
5. utils/seed_user_test_data.py - utility for populating all test users and permissions
6. utils/seed_user.py - utility for creating a seed user

Testing

1. Created files for testing:

• test_field_permissions_csv.csv
• test_patch_users.py
• test_post_users.py
• test_unit_access_control.py,

2. test_api.py

• Commented out post and patch tests in test_api.py
• Modified tests to use User.count() rather than hardcode expected values

3. test_models.py: Modified test in test_models.py to use count from Users rather than hard_code to 1
4. conftest.py: Changed fixture admin to use existing seeded admin user
5. . requirements.in, requirements.txt: Added pytest-mock