Change permissions model so that non-admins do not get org-wide read

Fixes #1684

test/test_v1_endpoint_security.py

@@ -13,6 +13,7 @@ app.register_blueprint(v1_bp, url_prefix='/v1')
 
 NO_ACCESS_USER = 'freshuser'
 READ_ACCESS_USER = 'reader'
+CREATOR_ACCESS_USER = 'creator'
 ADMIN_ACCESS_USER = 'devtable'
 
 
@@ -102,6 +103,13 @@ class TestReadAccess(EndpointTestCase):
   auth_username = READ_ACCESS_USER
 
 
+class TestCreatorAccess(EndpointTestCase):
+  __metaclass__ = _SpecTestBuilder
+  spec_func = build_v1_index_specs
+  result_attr = 'creator_code'
+  auth_username = CREATOR_ACCESS_USER
+
+
 class TestAdminAccess(EndpointTestCase):
   __metaclass__ = _SpecTestBuilder
   spec_func = build_v1_index_specs