Allow only project owners to delete projects / jobsets

Giant gaping security hole.

src/lib/Hydra/Controller/Jobset.pm

@@ -219,6 +219,7 @@ sub submit : Chained('jobsetChain') PathPart Args(0) {
     my ($self, $c) = @_;
 
     requirePost($c);
+    requireProjectOwner($c, $c->stash->{project});
 
     if (($c->request->params->{submit} // "") eq "delete") {
         txn_do($c->model('DB')->schema, sub {

src/lib/Hydra/Controller/Project.pm

@@ -143,6 +143,8 @@ sub submit : Chained('projectChain') PathPart Args(0) {
     my ($self, $c) = @_;
 
     requirePost($c);
+    requireProjectOwner($c, $c->stash->{project});
+
     if (($c->request->params->{submit} // "") eq "delete") {
         txn_do($c->model('DB')->schema, sub {
             $c->stash->{project}->jobsetevals->delete_all;