s3tables: Separate permission checks for tagging and untagging

- Add CanTagResource() to check TagResource permission
- Add CanUntagResource() to check UntagResource permission
- Update CanManageTags() to check both operations (OR logic)

This prevents UntagResource from incorrectly checking 'ManageTags' permission
and ensures each operation validates the correct permission when per-operation
permissions are enforced.

weed/s3api/s3tables/permissions.go

@@ -237,9 +237,19 @@ func CanDeleteTablePolicy(principal, owner, resourcePolicy string) bool {
 	return CheckPermission("DeleteTablePolicy", principal, owner, resourcePolicy)
 }
 
-// CanManageTags checks if principal can manage tags
+// CanTagResource checks if principal can tag a resource
+func CanTagResource(principal, owner, resourcePolicy string) bool {
+	return CheckPermission("TagResource", principal, owner, resourcePolicy)
+}
+
+// CanUntagResource checks if principal can untag a resource
+func CanUntagResource(principal, owner, resourcePolicy string) bool {
+	return CheckPermission("UntagResource", principal, owner, resourcePolicy)
+}
+
+// CanManageTags checks if principal can manage tags (tag or untag)
 func CanManageTags(principal, owner, resourcePolicy string) bool {
-	return CheckPermission("ManageTags", principal, owner, resourcePolicy)
+	return CanTagResource(principal, owner, resourcePolicy) || CanUntagResource(principal, owner, resourcePolicy)
 }
 
 // AuthError represents an authorization error