UI viewer role (#16978)

* db migration

* db model

* assign admin role on password reset

* add role to jwt and api responses

* don't restrict api access for admins yet

* use json response

* frontend auth context

* update auth form for profile endpoint

* add access denied page

* add protected routes

* auth hook

* dialogs

* user settings view

* restrict viewer access to settings

* restrict camera functions for viewer role

* add password dialog to account menu

* spacing tweak

* migrator default to admin

* escape quotes in migrator

* ui tweaks

* tweaks

* colors

* colors

* fix merge conflict

* fix icons

* add api layer enforcement

* ui tweaks

* fix error message

* debug

* clean up

* remove print

* guard apis for admin only

* fix tests

* fix review tests

* use correct error responses from api in toasts

* add role to account menu

docker/main/rootfs/usr/local/nginx/conf/auth_request.conf

@@ -1,14 +1,16 @@
 ## Send a subrequest to verify if the user is authenticated and has permission to access the resource.
 auth_request /auth;
 
-## Save the upstream metadata response headers from Authelia to variables.
+## Save the upstream metadata response headers from the auth request to variables
 auth_request_set $user $upstream_http_remote_user;
+auth_request_set $role $upstream_http_remote_role;
 auth_request_set $groups $upstream_http_remote_groups;
 auth_request_set $name $upstream_http_remote_name;
 auth_request_set $email $upstream_http_remote_email;
 
 ## Inject the metadata response headers from the variables into the request made to the backend.
 proxy_set_header Remote-User $user;
+proxy_set_header Remote-Role $role;
 proxy_set_header Remote-Groups $groups;
 proxy_set_header Remote-Email $email;
 proxy_set_header Remote-Name $name;