Roles and permissions on groups

Permission management in Debusine relies on users being members of groups, and groups having roles on resources (see Permission management).

This works well, except when deciding if a user can manage the membership of a group: following this model, for each group there should be a related group with admin roles on it, but then who can manage the membership of that group?

I propose to shortcut the situation by having users to be assigned direct roles on groups, and groups alone.

Proposed changes

Change the Group.users ManyToManyField to use a through table UserGroup
Add a GroupRoles enum, with MEMBER and ADMIN entries
Add a role field to UserGroup, defaulting to MEMBER
Add a can_manage permission predicate to Group, granted to ADMIN users and otherwise delegated to scope admins.