fix includes for client API keys on admin accounts; closes pterodactyl#4164

Author: DaneEveritt

app/Transformers/Api/Application/BaseTransformer.php

@@ -67,11 +67,20 @@ public static function fromRequest(Request $request)
      */
     protected function authorize(string $resource): bool
     {
+        $allowed = [ApiKey::TYPE_ACCOUNT, ApiKey::TYPE_APPLICATION];
+
         $token = $this->request->user()->currentAccessToken();
-        if (!$token instanceof ApiKey || $token->key_type !== ApiKey::TYPE_APPLICATION) {
+        if (!$token instanceof ApiKey || !in_array($token->key_type, $allowed)) {
             return false;
         }
 
+        // If this is not a deprecated application token type we can only check that
+        // the user is a root admin at the moment. In a future release we'll be rolling
+        // out more specific permissions for keys.
+        if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
+            return $this->request->user()->root_admin;
+        }
+
         return AdminAcl::check($token, $resource, AdminAcl::READ);
     }