In addition, allow an auditor read-only permissions within a project.

  Collect all the permissions that an auditor is supposed to have in the
  `auditor_access` method. This _could_ be automated by dynamically listing all
  permissions that start with `read_`, but this is cleaner / more readable,
  especially since it's confined to this one location.