Rewrite RLS policies to guard admin/power user commands behind Assurance Level 2 & block banned users from taking action

[zealsprince]

We have multi-factor authentication as well as a ban system in the application. There's a few ways we can enhance these and their functionality/security:

• Any action a user takes should be referenced against their ban status. This is a slight performance hit as we have to do an extra look-up but it means that we can guard malicious users that have been banned from programmatic access even if the website logs them out and disallows logins.
• Any admin activity should be guarded by 2FA - to enforce this, we disallow users that are only authenticated at Assurance Level 1 from accessing the admin panel and rewrite our RLS policies to check for AAL2 of the session before performing any action.