Client API permissions

[sebgie]

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

---

It is allowed for every authenticated user to add, browse, edit and delete clients. This is similar to what Slack does for integrations and will allow every user to use third party clients. The access to the restful API of Ghost is protected by the individual permissions of each user.

JSON API	Admin	Editor	Author	NoAuth
clients.browse	y	y	y
clients.read	y	y	y
clients.edit	y	y	y
clients.add	y	y	y
clients.destroy	y	y	y

This issue depends on #3910 for adding new permissions to the database.

[javorszky]

An Author level user can't delete a client that an Admin added though, right?

[ErisDS]

Labelling all the open permissions related issues (there are several) with both permissions and later as I'm working on a spec to solve the immediate issues as well as a long term plan, which will replace all of these issues.

Note: I am aware this is required for OAuth #4004, I am working on a solution that will allow us to resolve this in the short term - at the moment there is no way forward. I'll reopen this as soon as we're able to progress with it.