fix: correct user self management on metadata and delete (#10666)

# Which Problems Are Solved

This PR fixes the self-management of users for metadata and own removal
and improves the corresponding permission checks.
While looking into the problems, I also noticed that there's a bug in
the metadata mapping when using `api.metadata.push` in actions v1 and
that re-adding a previously existing key after its removal was not
possible.

# How the Problems Are Solved

- Added a parameter `allowSelfManagement` to checkPermissionOnUser to
not require a permission if a user is changing its own data.
- Updated use of `NewPermissionCheckUserWrite` including prevention of
self-management for metadata.
- Pass permission check to the command side (for metadata functions) to
allow it implicitly for login v1 and actions v1.
- Use of json.Marshal for the metadata mapping (as with
`AppendMetadata`)
- Check the metadata state when comparing the value.

# Additional Changes

- added a variadic `roles` parameter to the `CreateOrgMembership`
integration test helper function to allow defining specific roles.

# Additional Context

- noted internally while testing v4.1.x
- requires backport to v4.x
- closes https://github.com/zitadel/zitadel/issues/10470
- relates to https://github.com/zitadel/zitadel/pull/10426

(cherry picked from commit 5329d50509)

internal/api/grpc/user/v2beta/integration_test/user_test.go

@@ -1297,6 +1297,17 @@ func TestServer_LockUser(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "no permission, error",
+			args: args{
+				UserCTX,
+				&user.LockUserRequest{
+					UserId: Instance.Users.Get(integration.UserTypeNoPermission).ID,
+				},
+				func(request *user.LockUserRequest) error { return nil },
+			},
+			wantErr: true,
+		},
 		{
 			name: "lock, ok",
 			args: args{
@@ -1405,6 +1416,17 @@ func TestServer_UnLockUser(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "no permission, error",
+			args: args{
+				UserCTX,
+				&user.UnlockUserRequest{
+					UserId: Instance.Users.Get(integration.UserTypeNoPermission).ID,
+				},
+				func(request *user.UnlockUserRequest) error { return nil },
+			},
+			wantErr: true,
+		},
 		{
 			name: "unlock, not locked",
 			args: args{
@@ -1513,6 +1535,17 @@ func TestServer_DeactivateUser(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "no permission, error",
+			args: args{
+				UserCTX,
+				&user.DeactivateUserRequest{
+					UserId: Instance.Users.Get(integration.UserTypeNoPermission).ID,
+				},
+				func(request *user.DeactivateUserRequest) error { return nil },
+			},
+			wantErr: true,
+		},
 		{
 			name: "deactivate, ok",
 			args: args{
@@ -1621,6 +1654,17 @@ func TestServer_ReactivateUser(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "no permission, error",
+			args: args{
+				UserCTX,
+				&user.ReactivateUserRequest{
+					UserId: Instance.Users.Get(integration.UserTypeNoPermission).ID,
+				},
+				func(request *user.ReactivateUserRequest) error { return nil },
+			},
+			wantErr: true,
+		},
 		{
 			name: "reactivate, not deactivated",
 			args: args{
@@ -1730,6 +1774,17 @@ func TestServer_DeleteUser(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "no permission, error",
+			args: args{
+				UserCTX,
+				&user.DeleteUserRequest{
+					UserId: Instance.Users.Get(integration.UserTypeNoPermission).ID,
+				},
+				func(request *user.DeleteUserRequest) {},
+			},
+			wantErr: true,
+		},
 		{
 			name: "remove human, ok",
 			args: args{