Modal scroll fix; per-account editor/viewer roles

- Fix account settings modal overflow: add max-height to .modal, make
  .modal-body flex/scrollable, widen #acct-settings-modal to 620px
- Add role column to user_accounts (editor|viewer) with migration;
  existing assignments promoted to editor
- New isEditorForAccount() in auth middleware for per-account write checks
- Replace global requireEditor with per-account checks in checks.js,
  deposits.js, pdf.js, deposit-pdf.js, qbo-import.js
- GET /api/accounts now returns user_role per account
- users.js returns {account_id, role} per assignment; POST/PUT accept
  accounts as [{id, role}]
- Frontend: state.accountRole tracks effective role for active account;
  applyRoleUI and renderRow use it; user management shows role dropdown
  per account assignment

src/middleware/auth.js

@@ -34,6 +34,17 @@ function canAccessAccount(session, accountId) {
   return !!row;
 }
 
+// Returns true if the user has editor (write) access to the given account.
+// Admins always return true. Non-admins need user_accounts.role = 'editor'.
+function isEditorForAccount(session, accountId) {
+  if (!session || !session.userId) return false;
+  if (session.role === 'admin') return true;
+  const row = db.prepare(
+    "SELECT role FROM user_accounts WHERE user_id = ? AND account_id = ?"
+  ).get(session.userId, accountId);
+  return !!(row && row.role === 'editor');
+}
+
 // Middleware factory — resolves accountId via a callback on req, then checks access
 function requireAccountAccess(getAccountId) {
   return (req, res, next) => {
@@ -50,4 +61,4 @@ function requireAccountAccess(getAccountId) {
   };
 }
 
-module.exports = { requireAuth, requireAdmin, requireEditor, requireAccountAccess, canAccessAccount };
+module.exports = { requireAuth, requireAdmin, requireEditor, requireAccountAccess, canAccessAccount, isEditorForAccount };