Added variable to allow only admins to add and remove people from roles.

[mawalu]

If you set HUBOT_AUTH_ADMIN_ONLY to 1, only admins will be able to add and remove people form roles.

[patcon]

Looks good, I might make some tidy-up changes (in general, not necessarily to your PR code) after I accept this, then I'll push a release :) I'll put that through a PR and mention you so you can give it a review if you'd like

Thanks so much!

[patcon]

Hey @Mawalu, I don't know what I was thinking here, but I'm now realizing that at the very least, we have the default behaviour wrong. The default should definitely be that only admins can add/remove roles, and merging this PR should have been a major version bump, since adding the flag changes behaviour drastically :/ This was my fault, but it was a very silly oversight on my part, and frankly, I don't know what I was thinking..!

I'm considering reverting this, as I'm unsure the point of an auth package having an option to allow anyone to set the roles, as that means it doesn't do access control. Can you explain the use-case?