Enforce category-based permissions across controllers and admin UI

[thorsten]

Part of #3832. Lowest cost, highest value — infra already exists.

Background

faqgroup_right_category table, GroupCategoryPermissionRepository, and MediumPermission::hasPermissionForCategory() already exist (4.2.0-alpha). What is missing is enforcement at call sites and an admin UI to manage restrictions.

Tasks

• Audit the ~111 hasPermission() call sites; replace with hasPermissionForCategory() where a category context exists (FAQ add/edit/delete/approve, translation, category controllers)
• Wire enforcement into Faq.php query/permission helpers so restricted categories are filtered in listings, not just blocked on action
• Admin UI: manage per-group category restrictions per right (API endpoint exists in GroupController; needs the frontend)
• Define Basic-mode behaviour (Basic mode has no groups)

Acceptance criteria

• Permissions assignable per category via admin UI
• A group restricted to categories X,Y cannot edit/approve/delete FAQs elsewhere, and the UI hides what they cannot act on
• Direct user rights remain global (current behaviour) — documented explicitly
• Tests cover enforcement at controller + query level
• Clear error when action blocked by category restriction

[thorsten]

Tracked under epic #4314.