The releases endpoint is not accessible by external tools

[mattiaverga]

The /releases/ endpoint uses a really restrictive CORS setting which prevents ajax calls to fetch the list of releases. This is done because the same endpoint accept both GET (for listing, using HTTP and JSON renderers) and POST (for add/edit releases). The latter should be restricted to requests originated from Bodhi server itself.

We can add a new endpoint reusing the same view method of the GET /releases/ (using decorators) and assign the more relaxed cors_origin_ro CORS to it.