Allow oauth2 clients to exercise permissions independent to the user

app/routing/middleware/api/Permission.middleware.js

@@ -24,6 +24,11 @@ class PermissionMiddleware extends Middleware {
                     .message('Insufficient permissions (OAuth2 Client).')
                     .api()
             }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
         }
 
         const policy_denied = await Policy.check_user_denied(req.user, check)