AO3-6498 Allow certain admins to access refused gifts page

[not-varram]

Pull Request Checklist

• Have you read "How to write the perfect pull request"?
• Have you read the contributing guidelines?
• Have you added tests for any changed functionality?
• Have you added the Jira issue number
  as the first thing in your pull request title (e.g. AO3-1234 Fix thing)
• Do you have fewer than 5 pull requests already open? If not, please wait
  until they are reviewed and merged before creating new pull requests.

Issue

https://otwarchive.atlassian.net/browse/AO3-6498 (Please fill in issue number and remove this comment.)

Purpose

Fixes admin access on user gifts pages so policy_and_abuse and superadmin can:

• see the Accepted/Refused gifts navigation,
• load refused gifts via URL/tab,
• while still not being shown recipient action buttons (Accept Gift / Refuse Gift)

Testing Instructions

1. Log in as an admin with role policy_and_abuse or superadmin.
2. Visit /users/:username/gifts for a user with at least one refused gift.
3. Confirm tabs for Accepted Gifts and Refused Gifts are visible.
4. Click Refused Gifts (or visit /users/:username/gifts?refused=true) and confirm refused gifts are shown.
5. Confirm recipient action buttons are not shown to admin.
6. (Negative check) Log in as another admin role (e.g., support) and confirm refused gifts tab/page is not available.

Credit

varram (he/him)

[Bilka2]

Please use pundit for the access control. You can find our existing policies in the app/policies folder if you'd like examples. The other issues on the admin role Epic also have examples of pundit implementations.

For the specs, please use the an action only authorized admins can access shared example if possible, it tests a lot of admin roles automatically and we don't need to duplicate that code here. Examples for it's use can be found all across the admin role tests.

[Bilka2]

Thanks for converting to pundit!

[Bilka2]

Thank you!