feat: add guest role for new user registrations

[longfei91]

Summary

• Add guest as a new user role with read-only access (no download permission)
• Guest users see a disabled lock button on release pages; both show and download actions are
  protected server-side
• Default role for new users is configurable via Setting.preset_role (admin UI) or
  ZEALOT_DEFAULT_USER_ROLE env variable

Changes

• User model: add guest to role enum (integer value 3, backward-compatible)
• Download::ReleasesController: block guest access on both show and download actions
• Setting.preset_role: support ZEALOT_DEFAULT_USER_ROLE env var for container deployments
• UserRoles: add grant_guest! / revoke_guest! methods, :guests scope, guest? in role_name
• ApplicationPolicy: delegate guest? to user
• i18n: add translations for guest role and no-permission messages (en + zh-CN)

Test plan

• Register a new user → verify role is guest when preset_role is set to guest
• As guest, visit a release page → download button is disabled (lock icon)
• As guest, directly access download URL → redirected with alert
• As member/developer/admin, download works normally
• Admin panel: role selector includes Guest option
• RSpec: spec/models/user_spec.rb and spec/controllers/download/releases_controller_spec.rb

[welcome]

感谢你提交的问题或反馈，我会在有时间的时候来审查代码。
Thanks so much for opening your first PR here!

[icyleaf]

Thank you for the contribution! The general direction of this PR is correct, but I noticed a potential security vulnerability.

The role check you added only covers the Web interface controllers, meaning the API endpoints are still missing these restrictions. Furthermore, we prefer to keep all permission-related logic encapsulated within Pundit policies(app/policies directory) rather than in the controllers themselves to ensure consistency and maintainability.

If you're open to it, could you please integrate these checks into the corresponding Pundit policies? This would help secure both the Web and API layers properly.

[longfei91]

Thank you for the contribution! The general direction of this PR is correct, but I noticed a potential security vulnerability.

The role check you added only covers the Web interface controllers, meaning the API endpoints are still missing these restrictions. Furthermore, we prefer to keep all permission-related logic encapsulated within Pundit policies(app/policies directory) rather than in the controllers themselves to ensure consistency and maintainability.

If you're open to it, could you please integrate these checks into the corresponding Pundit policies? This would help secure both the Web and API layers properly.

Thanks for the feedback! I've moved the guest restriction out of the controllers and into
ReleasePolicy#download?. Download::ReleasesController now uses authorize @Release, :download? with a
rescue_from Pundit::NotAuthorizedError handler, keeping all permission logic in the policy layer and
covering both web and API endpoints consistently.