Clarify "Listings" capability wrt "Reads" versus "PublicReads"

[jhiemstrawisc]

The Listings capability can be set for both origins and namespaces and it determines whether clients are able to PROPFIND/ls the origin/namespace for object discovery.

However, the access/authorization requirements to issue these list requests depends on other capabilities, namely Reads and PublicReads. If an origin is configured with Reads and Listings, object discovery requires a validly-scoped read token, whereas an origin with PublicReads and Listings allows anybody to perform discovery without a token.

One note is that while our capabilities mechanism ties Listings to namespace exports, the toggle actually applies to the origin's core xrootd configuration. Because of this, I'm not sure we can currently scope this capability individually to namespaces exported through the same origin the way our config mechanisms suggest.

While we should think about the implication of this kind of side effecting and whether it's what we truly want, we should at the very least document this behavior