Add policy for Cloud Connector status API

In the initial iteration of the cloudConnectorStatus GraphQL call, we did not add authorization logic via our internal permissions system. This means anyone with a valid token can call this endpoint.

Since this endpoint is currently only used by instance admins, we should restrict this API to this particular type of persona.

I clarified on Slack:

We should probably add a new policy instead of using :manage_ai_settings since CC will eventually go beyond AI
We cannot use Type based authZ because the object in the GQL call is not an AR model but a ServiceResponse. We can just perform a manual policy check in the resolver via Ability.allowed?.

Edited Aug 06, 2024 by Matthias Käppler