fix: permissions not restricted for certain management pages / actions (#1219)

* fix: restrict parts of manage navigation to admins

* fix: restrict stats cards on manage home page

* fix: restrict access to amount of certain stats for manage home

* fix: restrict visibility of board create button

* fix: restrict access to integration pages

* fix: restrict access to tools pages for admins

* fix: restrict access to user and group pages

* test: adjust tests to match permission changes for routes

* fix: remove certain pages from spotlight without admin

* fix: app management not restricted

apps/nextjs/src/app/[locale]/manage/tools/api/page.tsx

@@ -1,8 +1,10 @@
 import { headers } from "next/headers";
+import { notFound } from "next/navigation";
 import { Stack, Tabs, TabsList, TabsPanel, TabsTab } from "@mantine/core";
 
 import { openApiDocument } from "@homarr/api";
 import { api } from "@homarr/api/server";
+import { auth } from "@homarr/auth/next";
 import { extractBaseUrlFromHeaders } from "@homarr/common";
 import { getScopedI18n } from "@homarr/translation/server";
 
@@ -11,6 +13,11 @@ import { createMetaTitle } from "~/metadata";
 import { ApiKeysManagement } from "./components/api-keys";
 
 export async function generateMetadata() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    return {};
+  }
+
   const t = await getScopedI18n("management");
 
   return {
@@ -19,6 +26,10 @@ export async function generateMetadata() {
 }
 
 export default async function ApiPage() {
+  const session = await auth();
+  if (!session?.user || !session.user.permissions.includes("admin")) {
+    notFound();
+  }
   const document = openApiDocument(extractBaseUrlFromHeaders(headers()));
   const apiKeys = await api.apiKeys.getAll();
   const t = await getScopedI18n("management.page.tool.api.tab");