Permissions only apply to actions without a confirmation form [#3575712]

Problem/Motivation

This module creates permissions for every action configured in a site.

https://git.drupalcode.org/project/expose_actions/-/blob/457e9d402a048d8...

It checks these permissions in a _custom_access callback on the expose_actions.confirm route that it provides:

https://git.drupalcode.org/project/expose_actions/-/blob/457e9d402a048d8...

However, this route is only used for actions that do not provide a confirmation form:

https://git.drupalcode.org/project/expose_actions/-/blob/2.1.x/expose_ac...

This means that the permissions are not always checked. Depending on how the action confirmation route is implemented (by the module that provides it), this may result in action buttons being shown to users who were not granted the permission that this module provides.

I don't think this qualifies as a security issue because it is not opening up any new vulnerabilities. It simply isn't using the permissions that this module provides, which is misleading, and the permissions are pointless. Ultimately, it is up to the modules that provide actions to ensure that their confirmation routes are protected.

Proposed resolution

Two potential ideas:

1. Don't provide permissions for actions with a confirmation form.
2. Provide a route for actions with a confirmation form, which checks the permission from this module, and then redirects to the action's confirmation form.

The challenge with approach 1 is that it requires removing permissions that may already be saved to roles/configuration, so an update hook will be needed to clean those up.

The challenge with approach 2 is that it only guarantees that the action link button respects this module's permissions, but it doesn't guarantee that the user will have access to the action's confirmation route. So if a site admin gives the user permission to see the button, but not to access the confirmation form, they will be redirected to a 403.