Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

An authenticated attacker who holds the `admin.access` permission can create AzLink server tokens via crafted HTTP requests to `/admin/servers/create`. Using those tokens, the attacker can then call the AzLink API endpoints (`/api/azlink/password`, `/api/azlink/email`, `/api/azlink/user/{id}`) to change the password and email address of any non-admin user, effectively taking over those accounts. The vulnerability stems from missing authorization checks in the server management routes — the `admin.servers` permission was not enforced, allowing users with only `admin.access` to access server-creation functionality that should require a higher privilege level.

The patch touches multiple files across the Azuriom codebase. The most security-relevant change is in `routes/admin.php` (not shown in the diff) and the addition of the `'admin.servers' => 'admin.permissions.admin-servers'` permission entry in the Permission model. The version bump from 1.2.10 to 1.2.11 confirms the fix boundary.

The patch adds the `'admin.servers' => 'admin.permissions.admin-servers'` permission entry to the Permission model, which allows the server management routes to require this specific permission rather than relying on the broader `admin.access` permission. This closes the authorization gap that previously let attackers with only `admin.access` create AzLink server tokens and subsequently take over user accounts. The version is bumped from 1.2.10 to 1.2.11 to mark the release containing the fix.