Fix API endpoint permission for the "AttachmentMixin" class (#3218)

* Fix API endpoint permission for the "AttachmentMixin" class

- Any authenticated user could perform CREATE and UPDATE operations on attachments
- Could be performed via the browsable DRF API
- Could also be performed via the front-end (with some advaned jiggering of OPTIONS code)

* Show or hide buttons depending on the permissions of the user

* Add shortcut for table permission check

InvenTree/users/models.py

@@ -222,6 +222,11 @@ class RuleSet(models.Model):
     @classmethod
     def check_table_permission(cls, user, table, permission):
         """Check if the provided user has the specified permission against the table."""
+
+        # Superuser knows no bounds
+        if user.is_superuser:
+            return True
+
         # If the table does *not* require permissions
         if table in cls.RULESET_IGNORE:
             return True