api2: token: use userid-group as API perm check

the previous version using an ACL path of '/access/users/{userid}' was
broken for non-root users, since the '@' character always contained in a
userid is not allowed in ACL paths.

this effectively meant that creating API tokens only worked for:
- root@pam (ACL checks skipped altogether)
- users with User.Modify on '/' with propagation (the roles/privs for
  '/' are propagated to the undefined path in this case)
- users creating their own tokens (first branch of 'or')

the userid-group check is used for all other modifications of user
entities, so it can also be used for creating/modifying/removing API
tokens.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

src/PVE/API2/User.pm

@@ -565,7 +565,7 @@ __PACKAGE__->register_method ({
 	check => [
 	    'or',
 	    ['userid-param', 'self'],
-	    ['perm', '/access/users/{userid}', ['User.Modify']],
+	    ['userid-group', ['User.Modify']],
 	],
     },
     parameters => {
@@ -602,7 +602,7 @@ __PACKAGE__->register_method ({
 	check => [
 	    'or',
 	    ['userid-param', 'self'],
-	    ['perm', '/access/users/{userid}', ['User.Modify']],
+	    ['userid-group', ['User.Modify']],
 	],
     },
     parameters => {
@@ -634,7 +634,7 @@ __PACKAGE__->register_method ({
 	check => [
 	    'or',
 	    ['userid-param', 'self'],
-	    ['perm', '/access/users/{userid}', ['User.Modify']],
+	    ['userid-group', ['User.Modify']],
 	],
     },
     parameters => {
@@ -714,7 +714,7 @@ __PACKAGE__->register_method ({
 	check => [
 	    'or',
 	    ['userid-param', 'self'],
-	    ['perm', '/access/users/{userid}', ['User.Modify']],
+	    ['userid-group', ['User.Modify']],
 	],
     },
     parameters => {
@@ -765,7 +765,7 @@ __PACKAGE__->register_method ({
 	check => [
 	    'or',
 	    ['userid-param', 'self'],
-	    ['perm', '/access/users/{userid}', ['User.Modify']],
+	    ['userid-group', ['User.Modify']],
 	],
     },
     parameters => {