Add scopes delete:metadata and delete:data

[danielballan]

Summarizing a discussion with @dylanmcreynolds

---

Currently, the deletion routes require write:metadata and write:data Scopes:

tiled/tiled/server/router.py

Line 1216 in addcda6

entry=SecureEntry(scopes=["write:data", "write:metadata"]),

Let's separate out Scopes for deletion so that Roles and Access Control Policies can enable writing but block deleting if desired. (This issue is not taking a policy on what default/common Scopes should be, only that these should be separated out now so that it is possible to distinguish them.)

Specifically:

• delete:metadata --- May remove rows from the Catalog database, dropping references to externally-managed data.
• delete:data --- May delete actual files, internally-managed files that were written by the Tiled server and may be the canonical copy of a given dataset. (Deleting the files should also clean up the SQL entities referencing them.)

We may need to add and/or rename routes:

• Existing route DELETE /metadata/{path} should change from scopes ["write:metadata", "write:data"] to scopes ["delete:metadata"].
• Existing route DELETE /nodes/{path} should maybe be split into DELETE /nodes/metadata/{path} (can delete references to externally-managed data, or empty nodes) and DELETE /nodes/assets/{path} (can delete actual data), protected by ["delete:metadata"] and ["delete:metadata", "delete:data"] respectively.

[padraic-shafer]

This sounds reasonable.