feat(ui): allow non-owner users to authorize on accessible OAuth gateways

[kimsehwan96]

🔗 Related Issue

Closes #3934

---

📝 Summary

Non-owner team members and public gateway users cannot see the "🔐 Authorize" button on OAuth gateways, preventing them from completing the OAuth flow. The backend already stores tokens per-user (oauth_tokens.app_user_email), so this is purely a UI visibility fix.

• Add can_authorize template variable (broader than can_modify) for Authorize/Fetch Tools buttons
• Keep can_modify for Edit/Deactivate/Delete (unchanged)

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	pass
Unit tests	make test	pass
Coverage ≥ 80%	make coverage

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

Changed files:

• gateways_partial.html: 1 line added + 1 line modified
• test_admin.py: 5 tests added (2 positive, 2 regression, 1 negative)

Visibility logic:

  ┌─────────────────────────────────┬───────────┬─────────────┐
  │            User type            │ Authorize │ Edit/Delete │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Admin                           │    ✅     │     ✅      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Gateway owner                   │    ✅     │     ✅      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Team member (non-gateway-owner) │    ✅     │     ❌      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Any user (public gw)            │    ✅     │     ❌      │
  ├─────────────────────────────────┼───────────┼─────────────┤
  │ Non-member (team gw)            │    ❌     │     ❌      │
  └─────────────────────────────────┴───────────┴─────────────┘

Screenshot as team member but not the mcp owner.

(AWS Docs MCP set as no auth type)

E2E Verification (manual):

• Built and deployed from this commit to a live K8s cluster
• Tested as a team member who is not the gateway owner
• Confirmed Authorize button is visible and OAuth flow completes successfully
• As team owner: authorization, tool fetch, and tool invocation all work with the user's own token
• As team member: authorization works, but tool fetch/invocation is blocked due to missing tools.execute permission (pending feat(rbac): add tools.execute permission to team-scoped viewer role #3882)