fix: implement more fine grained permission checks

[DavideIadeluca]

Fixes #393

Changes proposed in this pull request:

• Implement extra permissions for better transparency what which permissions exactly do
• Consume those new permissions in the Model Policy
• Refactor The DeleteFileHandler to consume the Model Policy rather then readding the permission logic
• Add migration for the permissions to lessen chance of breaking existing integrations

Reviewers should focus on:
No security vulnerabilities are introduced in DeleteFileHandler & FilePolicy. Here is the intended migration logic:

If a group had fof-upload.deleteUserUploads (previously meaning meaning “delete others”):

• Group needs fof-upload.deleteOtherUsersUploads
• Group needs fof-upload.hideOtherUsersUploads

If a group had fof-upload.upload-shared-files:

• Groups needs fof-upload.deleteSharedUploads
• Group needs fof-upload.hideSharedUploads

To allow that users can hide their own files by default, I've added a separate migration (2025_11_07_000000_grant_hide_own_to_members.php) which grants members this permission

Screenshot
Before and after the permission migration:

Before:

After:

Confirmed

• Frontend changes: tested on a local Flarum installation.
• Backend changes: tests are green (run composer test).

Required changes:

• Related Flarum core extension PR's: (Omit this section if irrelevant)

[jaspervriends]

This PR would resolve the following bug as well: it's currently not possible to delete files when you're a moderator (even if you added the "Delete user uploads" permission, since there's a admin only check on it currently). This PR seems to resolve that.

Is there anything that is holding back merging it? So far it looks good to me.

[DavideIadeluca]

Thanks @jaspervriends for bringing this up again. I'll try to make progress here next week

[DavideIadeluca]

@imorland I've now made the changes as discussed and am happy with them at the moment, namely:

• Refactoring the Model Policy to be more readable
• Consume the model policy in the DeleteFileHandler
• Adjusting tests
• Adding migration path

Do you have time to review this?

[DavideIadeluca]

This right here is more of a POC of how we can handle cases where other permissions are prerequisites for another permission, similiar like Tags does it for example (permission to create discussion in a tag can only be granted to a new group when the viewForum permissions has that group already.

Open for feedback if this should be extended to cover more cases in fof/upload or if I should abandon this. See https://github.com/flarum/framework/blob/097b3c5baa025b46b1fe96a3191ce25fb9a062e7/extensions/tags/js/src/admin/addTagsPermissionScope.tsx#L34-L46 for a similar implementation in the framework

[GrumpyCat-ai]

@DavideIadeluca

As a user of Flaurum who has the issue described by imorland, I would be happy to test any fix you may have.
Thanks