Merge commit from fork

* Add note to plugin docs.

* Adjust logic for PluginListTable

* Add superuser scope to PluginInstall API endpoint

* Update unit test for API endpoint

* Explicitly set PLUGINS_INSTALL_DISABLED if PLUGINS_ENABLED = False

* Check for superuser permission in installer.py

* Additional user checks

* Sanitize package name to protect against OS command injection

src/frontend/src/tables/plugin/PluginListTable.tsx

@@ -220,7 +220,6 @@ export default function PluginListTable() {
           // Uninstall an installed plugin
           // Must be inactive, not a builtin, not a sample, and installed as a package
           hidden:
-            !user.isSuperuser() ||
             record.active ||
             record.is_builtin ||
             record.is_mandatory ||
@@ -244,8 +243,7 @@ export default function PluginListTable() {
             record.is_builtin ||
             record.is_mandatory ||
             record.is_sample ||
-            record.is_installed ||
-            !user.isSuperuser(),
+            record.is_installed,
           title: t`Delete`,
           tooltip: t`Delete selected plugin configuration`,
           color: 'red',
@@ -355,7 +353,12 @@ export default function PluginListTable() {
 
   // Custom table actions
   const tableActions = useMemo(() => {
-    if (!user.isSuperuser() || !server.plugins_enabled) {
+    if (
+      !user.isSuperuser() ||
+      !server.plugins_enabled ||
+      server.plugins_install_disabled
+    ) {
+      // Prevent installation if plugins are disabled or user is not superuser
       return [];
     }
 
@@ -376,7 +379,6 @@ export default function PluginListTable() {
           setPluginPackage('');
           installPluginModal.open();
         }}
-        disabled={server.plugins_install_disabled || false}
       />
     ];
   }, [user, server]);