Depositors able to override admin set visibility restrictions

[davidcam-src]

Descriptive summary

• Depositors can change the permissions of a work and its files in an admin set that should restrict these permissions.
• Admin sets meant to only allow "Private" permissions are being overridden by non-admin users

Steps to reproduce the behavior in User Interface (UI)

Reproducing Issue: Public Work in Private Admin Set

1. As a non admin user, create a new work in Nurax.
2. Select an admin set with exclusive private visibility in the Relations tab.
3. In the Sharing Settings tab, select "public" for "Add group"
4. Fill out the form as usual and add a file. Note that private visibility is checked and is the only available visibility option. Check the deposit agreement and click save.
5. Note that the deposited work has public visibility

Extra steps to make the file of the work public:

1. Go to the dropdown for the file on the work page and select Edit
2. Click the permissions tab and change it from private to public since admin set visibility restrictions aren't being applied to the radio buttons
3. Save and note that the file is now public despite being in a private admin set

Acceptance Criteria/Expected Behavior

• Depositors should not be able to change the permissions of a work or its files in an admin set that restricts these permissions.
• In the Relations tab, only the "Private" visibility option should be selectable for works in the specified admin sets.
• Admins should be able to override the admin set restrictions for setting permissions