Fix permission and role management bugs

Fix multiple permission and role-related issues:

1. Gantt chart access: Replace is_admin check with view_projects permission
   - Users with custom roles having view_projects permission can now access
     Gantt charts, not just admins
   - Updated app/routes/gantt.py to check permissions properly

2. Task view filtering: Replace is_admin check with view_all_tasks permission
   - Users with custom roles having view_all_tasks permission can now see
     all tasks in the Tasks view, not just admins
   - Updated app/services/task_service.py to accept has_view_all_tasks parameter
   - Updated app/routes/tasks.py list_tasks and export_tasks to use permission check

3. Role assignment security: Prevent privilege escalation
   - Added is_super_admin property to User model
   - Only super_admins can assign super_admin role to users
   - Only super_admins can remove admin role from themselves or others
   - Prevents admins from escalating privileges or removing admin access
   - Updated app/routes/permissions.py manage_user_roles with validation

4. Version display consistency: Ensure consistent version display
   - Added APP_VERSION environment variable to docker-compose.example.yml
   - Ensures version is displayed consistently when using pre-built images

All changes maintain backward compatibility and follow the existing
permission system architecture.

docker-compose.example.yml

@@ -12,6 +12,8 @@ services:
       - ADMIN_USERNAMES=${ADMIN_USERNAMES:-admin}
       # Security (required in production)
       - SECRET_KEY=${SECRET_KEY}
+      # Version (inherited from image, but can be overridden)
+      - APP_VERSION=${APP_VERSION:-}
       # Database (bundled Postgres)
       - DATABASE_URL=postgresql+psycopg2://timetracker:timetracker@db:5432/timetracker
       # CSRF & cookies (safe for HTTP local; tighten for HTTPS)