Permissions to Add/Remove Projects from Digital Objects

[cgalarza]

Right now, any user can add/remove projects for a digital objects via an update action.

We need to decide:

1. Who should be able to add/remove projects for a digital object?
2. What project's should be user be able to add/remove from?

Eric's suggestion is the following:
"I think it actually does make sense for a person to be able to add an existing object to another project -- even if the person doesn't have any permissions in that other project"
"but that said, we still need the protection that we just talked about when it comes to project removal"

One complicating factor to Eric's suggestion is that the /projects endpoint returns all the projects a User has read access to.

[elohanlon]

In support of allowing someone to add an item any project, I feel like when a user has edit permission for an object (i.e. they manage/curate object), they should be able to share that object with others in another project when necessary. That sharing doesn't necessarily mean that they should be required to receive the editor role in that other project though, since it may not be appropriate to grant them that kind of widespread access.

Also, re: /projects -- It might be worth reconsidering whether the /projects API endpoint should return all projects a user has access to. It may make more sense to have /projects return a limited-info list of all projects (maybe just display_label and string_key ?), and instead create a scoped user-specific projects route like /user/projects (as one possible option).