Allow group members to remove other members from groups

[seanh]

Extend the remove-member-from-group API (DELETE /groups/{id}/members/{user}) to allow group members to remove other members (not just themselves) from groups, assuming the authenticated member has the necessary role in the group.

Currently the only valid call to this API is DELETE /groups/{id}/members/me (i.e. {user} is the literal string me) to remove yourself from a group.

While keeping the me alias this PR also enables {user} to be either your own or someone else's userid, and will allow or deny the request according to these rules:

• Any group member can remove themselves from a group with either me or their own userid
• Only owners can remove other owners and admins
• Only owners and admins can remove moderators
• Owners, admins and moderators can remove plain members
• Plain members, people who aren't members of the group at all, and unauthenticated requests can't remove anyone
• Also, it'll 404 if either the group or the target user doesn't exist, or if the target user isn't a member of the group
• There's also a separate code path for when the userid is invalid (can't be parsed in acct:{username}@{authority} format), 404s

Testing

Test removing yourself

1. Log in (http://localhost:5000/login)

2. Generate an API token (http://localhost:5000/account/developer)

3. Create a group (http://localhost:5000/groups/new)

4. Remove yourself from the group:

   httpx http://localhost:5000/api/groups/{pubid}/members/acct:{username}@localhost --method DELETE --headers Authorization 'Bearer {apitoken}'

   Or with the "me" alias:

   httpx http://localhost:5000/api/groups/{pubid}/members/me --method DELETE --headers Authorization 'Bearer {apitoken}'

   If you repeat the same request again you should get a 404 because the membership doesn't exist.

Test an owner removing a plain member

1. Log in
2. Generate an API token
3. Create a group
4. Log in as a different user
5. Join the group
6. Make an API request as the first user to remove the second user from the group

Test that plain members can't remove owners

1. Log in
2. Generate an API token
3. Create a group
4. Log in as a different user
5. Join the group
6. Make an API request as the second user to remove the first user from the group. You should get a 404

Test that non-members can't remove members from groups

1. Log in
2. Generate an API token
3. Create a group
4. Make an API request as a different user to remove the user from the group. You should get a 404

Test that unauthenticated requests can't remove members from groups

1. Log in
2. Generate an API token
3. Create a group
4. Make an API request without an Authorization headerto remove the user from the group. You should get a 404