Update permissions on artifact endpoints

Part of #1540 (closed)

This updates ListArtifacts, CreateArtifact and TaskArtifactDownload, because doing them separately is an even larger mess.

• ListArtifacts is restricted to instance admins, process guests with verified emails (for the artifacts menus in the frontend), any Ponos agent (to allow downloading artifacts before starting), and the task itself.
• CreateArtifact is restricted to the Ponos agent assigned to the task, because it should only call it once the task ends, and to the Ponos task itself, because the Git import calls CreateArtifact to upload Docker images.
• TaskArtifactDownload has the exact same restrictions as ListArtifacts.