Consider adding proper support for non-organisation-specific roles

[floehopper]

In RaspberryPiFoundation/editor-api#258 authorization logic for "school-owner", "school-teacher" & "school-student" roles was added. However, each of these roles was made organisation-specific and a single user is able to have different roles per organisation.

In the meantime in the main branch a "editor-admin" role was added to gate access to the admin dashboard. When rebasing the branch in RaspberryPiFoundation/editor-api#258, we had to resolve some conflicts in this area of the code (e.g. User#admin?) and we achieved that by saying that a user should have access to the admin dashboard if they have the "editor-admin" role for any organisation.

While the latter is probably OK for now, it's a bit of a bodge and we might want to give some more thought to how the authorization logic for roles like this ought to work.

[sra405]

Just a couple of thoughts. Currently I'm torn between two approaches:

1. Not every role assignment needs to be assigned to an organisation - this way we can set generic roles that apply across our products. The implications here are we need to handle organisation roles and generic roles separately.
2. Every role is assigned to an organisation - currently profile roles are used primarily (if not exclusively) for internal purposes giving access to things like admin dashboard or moderator privileges. The implication being we add a RPF organisation and alter the appropriate locations to check for the RPF org as well as the required role.

fyi @grega @DanielBrierton