Issues can be deleted by authors when using WorkItemDelete mutation

Related discussions: !84023 (comment 925730053), #346132 (closed)

Right now, in WorkItemDelete, we check the :delete_work_item permission. This is defined as:

rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item

So aside from those that can destroy issues (project owners), we also allow authors that are project members. Since regular issues can be passed in to this mutation, I think this may be reported as a vulnerability.

I think we have several options:

• Only allow Tasks in WorkItemDelete until we can change the issue permissions to match
• Change :delete_work_item to match issues and only allow project owners
• Change :destroy_issue to allow authors that are project members to delete issues

I think the first 2 are more viable. Also related to #370487 (closed)

cc @donaldcook @gweaver