Fix breakages with the review group user resource.
This resource broke with the latest webapi security fixes, due to

setting model_parent_key. This broke when a user was in more than one

group at a time, since it would try to do a get() on the parent

relationship, which would produce more than one group.
The solution is to remove the model_parent_key field, and make use of

the new has_list_access_permissions instead.
Along with this, there were some incorrect checks for permissions for

access and deletion. While this looks like a security problem, it

wasn't, because these were actually redundant. For item access, the

users are available anyway (through the users resource), and for

deletion, the deletion handler itself does the correct check to ensure

the user is allowed to delete.

Unit tests pass.
Could build the docs.