Allow more fine grained access control #27
Description
Currently API keys are created with wights like :read, :update, :delete.
This then applies to all items or groups.
We should allow more fine grained control by explicitly allowing access only to specified items or item groups, like:
;; this allows update and delete access only for the mentioned items.
'(:update (item1 item2) :delete (item1 item2))
;; this allows control to all
'(:update :all :delete :all)
;; this inverses
'(:update-except (item1 item2) :delete-except (item1 item2))
Same applies for :read, where :update or :delete automatically implies :read.