Implement operator role for apps

There are two main use cases:
* A consultant/contractor/external developer is given access to just an app.
* A "service" personnel (say upstream app author) is to be given access to single app
for debugging.

Since, this is an "app admin", they are also given access to apps to be consistent with
the idea that Cloudron admin has access to all apps.

part of #791

src/routes/accesscontrol.js

@@ -5,10 +5,12 @@ exports = module.exports = {
     tokenAuth,
 
     authorize,
+    authorizeOperator,
     websocketAuth
 };
 
 const accesscontrol = require('../accesscontrol.js'),
+    apps = require('../apps.js'),
     assert = require('assert'),
     BoxError = require('../boxerror.js'),
     externalLdap = require('../externalldap.js'),
@@ -105,3 +107,13 @@ async function websocketAuth(requiredRole, req, res, next) {
 
     next();
 }
+
+async function authorizeOperator(req, res, next) {
+    assert.strictEqual(typeof req.params.id, 'string');
+    assert.strictEqual(typeof req.user, 'object');
+    assert.strictEqual(typeof req.app, 'object');
+
+    if (apps.isOperator(req.app, req.user)) return next();
+
+    return next(new HttpError(403, 'user is not an operator'));
+}