Fix user create & changeRole permissions/options handling in Panel UI

[distantnative]

Description

⚠️ Trying to split this into smaller, more modular PRs.

• Fix $user->roles($purpose) #6653
• Panel\Field::role() allow passing $roles #6654
• Improve Roles filter methods check #6655
• Clean up UserRules #6657
• Remove roles count check from UserPermissions #6658
• UserRules::create() validate roles #6694

Summary of changes

• Cms\User::roles():
  • So far, this only handled admin vs. anybody else: admins would get all roles, everyone else just their own role. This is not what the method promises to return.
  • Changed it to return the actual list of available roles for any users.
  • Also checks permissions and user options: User::roles($context) and App::roles($context) which apply ->canBeChanged() or ->canBeCreated() accordingly to the context.
• Panel dialogs: user.create and user.changeRole
  • Pass $roles to Panel\Field::role() using the right $context to retrieve the roles depending on their action
  • Show a radio input, even if only one option is available (though to make it transparent what gets created)
• Resorted UserPermissions and UserRules
  • UserPermssions::canChangeRole() can be true even if only one role is available - as this isn't a permissions restriction. Instead this check is performed separately where the UI needs it.

Reasoning

The main issue of #5146 why the permission wasn't reflected in the UI, was UserPermissions::canChangeRole only checking if User::roles() returns more than one role. However, User::roles() would always only return the current role for non-admins. That's why the permission itself never was acknowledged. Fixing these now really relies on the permission.

Moreover, in the refactoring to Panel backend dialogs etc. it got lost to filter available roles further by applying ->canBeChanged() or ->canBeCreated().

Additional context

As UserRules::changeRole() was fully restrictive in place, this is no security fix - the permission was always fully enforced. Even more, the Panel UI was falsely more restrictive than it should've been based on the permissions.

Changelog

Fixes

• Panel UI fixed for create and changeRole permission and user options
  user permissions: changeRole has no effect #5146

Enhancements

• Role always shown when creating a new user, even if only one role available

Docs

• Consistent listing of user.changeRole AND users.changeRole

Ready?

• In-code documentation (wherever needed)
• Unit tests for fixed bug/feature
• Tests and CI checks all pass

For review team

• Add changes & docs to release notes draft in Notion

[distantnative]

Closing this as we now have all parts from this PR as smaller PRs ready.