fix(security): restrict FontAwesome settings endpoints to admins and hide FA key

[Micsi]

Motivation

• Close a secret-disclosure and integrity gap where any authenticated user could read, overwrite, or delete the shared FontAwesome API key via /api/v1/icons/settings.
• Ensure only admin users may manage the shared third-party credential and avoid returning the plaintext secret in API responses.

Description

• Import get_admin_user and switch the GET /icons/settings and PUT /icons/settings dependencies from get_current_user to get_admin_user so only admins can call these endpoints.
• Replace the settings response model IconsSettingsOut to expose only a boolean has_fa_api_key instead of returning the stored fa_api_key plaintext value.
• Preserve existing write/delete behavior for the DB key while returning presence/absence status only in responses; update the endpoints to return has_fa_api_key accordingly.
• Changes made in obs/api/v1/icons.py (authorization and response model updates) and added the get_admin_user import.

Testing

• Ran pytest -q in the repository, which failed during test collection due to a missing test dependency (ModuleNotFoundError: No module named 'pytest_asyncio').
• No other automated tests were run in this environment due to the collection error, but the change is minimal and limited to the icons settings handlers and response model.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e3dfe9e785

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep fa_api_key in settings response for compatibility

GET /icons/settings now returns only has_fa_api_key, but the existing UI still reads data.fa_api_key in gui/src/views/SettingsView.vue (line 1459). After this change, faSavedKey is always set to null on reload, so admins lose the “Gespeichert” state and the delete-key action despite a key still being stored. This is a client-visible regression introduced by the response shape change in this commit; either the frontend needs to be updated in the same change or the backend should preserve the old field for backward compatibility.

Useful? React with 👍 / 👎.