We should be able to optionally assign a specific (named?)
ProjectRole to an
OAuthAccessToken to restrict its access level instead of always giving the full permissions of the user that created it. Since the token is currently used to set the user in the session, we'll need to override the
ProjectRole returned for that user somehow, for the duration of the request.