Support OPTIONS data show/hide of POST / PATCH / PUT capabilities

[AlanCoding]

This might already work, but there are not tests for it. Examples:

• If user doesn't have change_inventory permission, OPTIONS to /api/v1/inventories/42/ should not show PATCH or PUT actions. Otherwise it should show these.
• If user doesn't have add_organization permission, either by being a superuser, or having a global role that gives this permission, OPTIONS to /api/v1/organizations/ should not show POST. Otherwise it should show it.
• If user doesn't have add_inventory permission to any organizations, OPTIONS to /api/v1/inventories/ should not show POST. Otherwise it should show it.

This issue asks to add tests for these 3 cases to show that it works for test_app.