[6.x] Allow control over who can be impersonated in UserPolicy

[ryanmitchell]

This PR adds an impersonate($authed, $user) method to the Statamic UserPolicy which is checked by the Impersonate action. This allows a developer to add custom logic in their own UserPolicy to determine if the authed user can impersonate the user in question... e.g. if you want admins not to be able to impersonate super admins.

Usage example:

// app/Policies/UserPolicy.php
namespace App\Policies;

use Statamic\Policies\UserPolicy as StatamicUserPolicy;

class UserPolicy extends StatamicUserPolicy
{
    public function impersonate($authed, $user)
    {
        // don't allow impersonating super users
        return ! $user->super;
    }
}

// app/Providers/AppServiceProvider.php
use Illuminate\Support\Facades\Gate;
use Statamic\Auth\File\User;

public function boot(): void
{
    Gate::policy(User::class, \App\Policies\UserPolicy::class);
}