Improve reader functionality (part 2)

[manuthecoder]

This PR strengthens role-based access control throughout the application by:

Authorization Policy Updates:

• Allows position owners to delete their own positions (in addition to admins/contract signees)
• Changes receipt deletion to use proper role checks instead of simple event membership

View-Level Access Control:

• Adds :member role requirement for "Add tag" UI elements across transactions, employees, and events views
• Restricts invoice voiding/archiving to :member role organizers
• Adds policy checks before showing receipt delete buttons