#6846 OAuth improvement: reduce token rights
We should be able to optionally assign a specific (named?) ProjectRole to an OAuthAccessToken to restrict its access level instead of always giving the full permissions of the user that created it. Since the token is currently used to set the user in the session, we'll need to override the ProjectRole returned for that user somehow, for the duration of the request.