Add admin-only restriction for giftcard deletion

Giftcards represent monetary value, so restrict deletion to admin users
only to prevent potential fraud by non-admin employees.

Related to BOLA vulnerability fix in Employees controller.

app/Controllers/Giftcards.php

@@ -174,6 +174,12 @@ class Giftcards extends Secure_Controller
      */
     public function postDelete(): ResponseInterface
     {
+        $current_user = $this->employee->get_logged_in_employee_info();
+
+        if (!$this->employee->is_admin($current_user->person_id)) {
+            return $this->response->setJSON(['success' => false, 'message' => lang('Giftcards.error_deleting_non_admin')]);
+        }
+
         $giftcards_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
         if ($this->giftcard->delete_list($giftcards_to_delete)) {

app/Language/en/Giftcards.php

@@ -5,6 +5,7 @@ return [
     "allow_alt_description"              => "Allow Alternate Description",
     "bulk_edit"                          => "Bulk Edit",
     "cannot_be_deleted"                  => "Could not delete selected Gift Card(s), one or more of the selected Gift Cards has sales.",
+    "error_deleting_non_admin"           => "Only admin users can delete gift cards.",
     "cannot_find_giftcard"               => "Gift Card not found.",
     "cannot_use"                         => "Gift Card {0} cannot be used for this sale: invalid Customer.",
     "card_value"                         => "Value",