Fixing activity list permissions

[avdata99]

Proposed fixes:

It looks like we are not properly handling permission for the activities lists

If we open the user activities list we were defining {% set can_show_activity_detail = h.check_access('activity_list', {'id': id, 'include_data': True, 'object_type': object_type}) %} at a list level (no for each activity)

So can_show_activity_detail means that the user can user_update which is only appropriate to show user activities.
But if the user changed a dataset, we want to ask for package_update instead before showing the Changes option in the list.

I think each activity require to check different permissions before showing

The View this version link points to activity.package_history which require the activity_show permission
The Changes link points to activity.package_changes which require the activity_diff permission

So in a user activity (also in other activities lists) list we can see links that point to URLs that will return 403

Features:

• includes tests covering changes
• includes updated documentation
• includes user-visible changes
• includes API changes
• includes bugfix for possible backport

Please [X] all the boxes above that apply