Add canStream user permission to control streaming access

Adds a per-user "Can Stream" permission mirroring the existing "Can Download"
pattern. Server admins can now disable streaming for specific users, encouraging
local downloads instead. Addresses #2572.

Changes:
- User model: stream permission in mapping, defaults, and getter
- ApiKey model: stream permission in defaults
- Controller: 403 enforcement on playback session creation endpoints
- Frontend: permission toggle in admin UI, play button gated by canStream,
  download button shown when streaming disabled, message when neither allowed
- Tests: 11 Mocha tests (model + controller), 1 Cypress test (card UI)
- Localization: English strings for toggle label and fallback message

The getter uses !== false (rather than !!) so existing users without the
stream key in their permissions JSON default to allowed on upgrade.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/controllers/LibraryItemController.js

@@ -413,6 +413,10 @@ class LibraryItemController {
    * @param {Response} res
    */
   startPlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
     if (!req.libraryItem.hasAudioTracks) {
       Logger.error(`[LibraryItemController] startPlaybackSession cannot playback ${req.libraryItem.id}`)
       return res.sendStatus(404)
@@ -430,6 +434,10 @@ class LibraryItemController {
    * @param {Response} res
    */
   startEpisodePlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
     if (!req.libraryItem.isPodcast) {
       Logger.error(`[LibraryItemController] startEpisodePlaybackSession invalid media type ${req.libraryItem.id}`)
       return res.sendStatus(400)

server/models/ApiKey.js

@@ -6,6 +6,7 @@ const Logger = require('../Logger')
 /**
  * @typedef {Object} ApiKeyPermissions
  * @property {boolean} download
+ * @property {boolean} stream
  * @property {boolean} update
  * @property {boolean} delete
  * @property {boolean} upload
@@ -84,6 +85,7 @@ class ApiKey extends Model {
   static getDefaultPermissions() {
     return {
       download: true,
+      stream: true,
       update: true,
       delete: true,
       upload: true,

server/models/User.js

@@ -125,6 +125,7 @@ class User extends Model {
    */
   static permissionMapping = {
     canDownload: 'download',
+    canStream: 'stream',
     canUpload: 'upload',
     canDelete: 'delete',
     canUpdate: 'update',
@@ -169,6 +170,7 @@ class User extends Model {
   static getDefaultPermissionsForUserType(type) {
     return {
       download: true,
+      stream: true,
       update: type === 'root' || type === 'admin',
       delete: type === 'root',
       upload: type === 'root' || type === 'admin',
@@ -567,6 +569,9 @@ class User extends Model {
   get canDownload() {
     return !!this.permissions?.download && this.isActive
   }
+  get canStream() {
+    return (this.permissions?.stream !== false) && this.isActive
+  }
   get canUpload() {
     return !!this.permissions?.upload && this.isActive
   }