fix(policy): decouple resolver editability from overrides

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Service/Policy/Runtime/DefaultPolicyResolver.php

@@ -119,7 +119,7 @@ private function resolveCore(
 			->setEffectiveValue($currentValue)
 			->setSourceScope($currentSourceScope)
 			->setVisible($visible)
-			->setEditableByCurrentActor($visible && $canOverrideBelow)
+			->setEditableByCurrentActor($visible && $this->canManagePolicyAtCurrentScope($context))
 			->setCanSaveAsUserDefault($visible && $canOverrideBelow)
 			->setCanUseAsRequestOverride($visible && $canOverrideBelow)
 			->setBlockedBy($currentBlockedBy);
@@ -258,6 +258,13 @@ private function canApplyLowerLayer(
 		return true;
 	}
 
+	private function canManagePolicyAtCurrentScope(PolicyContext $context): bool {
+		$actorCapabilities = $context->getActorCapabilities();
+
+		return ($actorCapabilities['canManageSystemPolicies'] ?? false) === true
+			|| ($actorCapabilities['canManageGroupPolicies'] ?? false) === true;
+	}
+
 	/** @param list<mixed> $currentAllowedValues
 	 * @param list<mixed> $layerAllowedValues
 	 * @return list<mixed>