add restrict_admin_usage arg to admin_override

rather than allow admins to do everything specifically, we should
only block them from things we conciously don't want them to do.
This is "Don't let platform admins send letters from services they're
not in". Everything else the platform admins can do.

This is step one, adding a restrict_admin_usage flag, and setting that
for those restricted endpoints around creating api keys, uploading CSVs
and sending one-off messages.

Also, this commit separates the two use cases for permissions:
* user.has_permission for access control
* user.has_permission_for_service for user info - this is used for
  showing checkboxes on the manage-users page for example

With this, we can remove the admin_override flag from the permission
decorator.

app/templates/views/manage-users.html

@@ -64,19 +64,19 @@
         <ul class="tick-cross-list">
           <div class="tick-cross-list-permissions">
             {{ tick_cross(
-              user.has_permissions('send_messages'),
+              user.has_permission_for_service(current_service.id, 'send_messages'),
               'Send messages'
             ) }}
             {{ tick_cross(
-              user.has_permissions('manage_templates'),
+              user.has_permission_for_service(current_service.id, 'manage_templates'),
               'Add and edit templates'
             ) }}
             {{ tick_cross(
-              user.has_permissions('manage_service'),
+              user.has_permission_for_service(current_service.id, 'manage_service'),
               'Manage service'
             ) }}
             {{ tick_cross(
-              user.has_permissions('manage_api_keys'),
+              user.has_permission_for_service(current_service.id, 'manage_api_keys'),
               'Access API keys'
             ) }}
             {% if 'email_auth' in current_service['permissions'] %}