We didn’t like the nested conditional way of doing this. So this commit
refactors the way that permissions are set by:
- splitting it up into multiple, clearly named methods
- treating the list of permissions as `set`s, which they naturally are,
because you can’t have duplicate permissions (this removes a lot of
the complexity around having to test for membership before removing
a permission, for example)