Cleaned permission checks for API -> site admin can now do anything

[vakabus]

Fixes and implements ideas from #6434 .

The main idea is, that permission checks should be hierarchical and users with higher privileges should not be denied access. Especially site-admins.

I extracted permission checks into separate functions and then modified the permission handlers to check more broadly. It's not a huge change in code, but it could have bad consequences if something is wrong.

I also reordered the functions, so that higher permissions are higher. It's not a big deal, but it explains the weird diff in reqOrgOwnership() and reqOrgMembership() function.

[codecov-io]

Codecov Report

Merging #6483 into master will decrease coverage by <.01%.
The diff coverage is 44.68%.

@@            Coverage Diff             @@
##           master    #6483      +/-   ##
==========================================
- Coverage   40.42%   40.41%   -0.01%     
==========================================
  Files         404      404              
  Lines       54094    54116      +22     
==========================================
+ Hits        21865    21873       +8     
- Misses      29217    29228      +11     
- Partials     3012     3015       +3

Impacted Files	Coverage Δ
routers/api/v1/api.go	72.29% <19.35%> (-1.61%)	⬇️
modules/context/context.go	53.76% <93.75%> (+3.76%)	⬆️
modules/log/file.go	75.52% <0%> (-2.1%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 592e6c3...7319a39. Read the comment docs.

[lafriks]

Could these methods be added to API context?

[vakabus]

Good idea. I've moved it.

[vakabus]

Sorry that it took me so long, but I finally got time to fix the reported issues. Hope it's better now. What do you think?

[zeripath]

~~Why did you switch the order of reqOrgOwnership and reqOrgMembership?

Moving around code like that is the perfect way to introduce security holes.

Reviewers please check this very carefully.~~

[zeripath]

Ok I'm satisfied that moving the functions around hasn't changed their semantics

[vakabus]

@zeripath Thanks for the review. Do you think I should revert back the reordering? I did it, because it made more sense to me. Higher privilege first, lower second. As everything else in that file. But I agree, I could have broke something and it wouldn't be clear. That's a good point.

[zeripath]

No it's fine. It was just a caution to other reviewers and myself to double check what we're doing.

Gitea use is growing and I could imagine that at some point someone might want to introduce a security hole. We need to be careful around permissions.