Close down last remaining API endpoints

[mwinokan]

from the last fixes to restore snapshot and download bugs @alanbchristie to talk to @boriskovar-m2ms to see how target/session information can be passed correctly to enable lockdown of relaxed endpoints

[mwinokan]

It is unclear whether f/e changes will be needed, @boriskovar-m2ms says it might get complicated regarding snapshots linking to proposals/sessions. In theory @matej-vavrek can help out, but there are likely to be conflicting changes with #1483. (@phraenquex says it is fine to wait)

[boriskovar-m2ms]

I'm really not sure if I know what this is exactly about because it has been almost 3 months now BUT IIRC the main problem is that not logged in (but also logged in) user can share a snapshot for other user to see. The problem is that this snapshot must have a project so anonymous project is created and I THINK this is the reason why session-projects and snapshots api endpoints can be closed off.

For session-projects IIRC the idea was that not every snapshots needs to be a part of a session project. This is very hard, We would need some move/duplicate some information from session project to snapshot, redo a lot of functionality because when we know that we are working with a snapshot we also know that we have a project object and properties available, change saving snapshots and change how routing works. This is just from top of my head. We are talking about one week minimum and up to two weeks. But we would get finally rid of this fake session projects which you always need to remember to handle them differently and are causing problems (see #1578 ). Then there are some curious decisions to be made like currently there is a functionality that when you're logged in and you're working on a session project and you click Share button no snapshot is created but link to a current snapshot you have displayed is shared (without the unsaved changes) - in this case a copy of snapshot would be created and this copy would be marked as a public so it's doable but this is just one of many obscure details you need to be aware of.

For snapshots I'm not sure how to handle this. Maybe enforce ISPyB validation for snapshots that are not created as a part of a session project (new field in snapshots table)?