Restrict webhook setting to admins on API

[foosel]

I recently noticed that I'd not properly protected some sensitive data in one of my own plugins. An API key was available on the settings API for basically everyone with access to the instance in question (settings API GET requests are not restricted since a lot of settings data is directly needed in the frontend for various things). Not a good idea. So I fixed that in my own plugin, added a new utility method in OctoPrint itself in future versions to allow to define restricted settings paths (already part of 1.2.17rc1) and thought I'd also go around and send some PRs to the plugins I know of that also might have sensitive data such as API keys and what not stored in their settings.

This PR is the result of that. I have to admit that I could not properly test it myself due to not having a Slack account, so please give it a test whirl before merging and releasing it.

The basic idea is to set sensitive settings fields to "None" if the settings load call does not originate from a user with admin rights.

Two implementations are provided, one for OctoPrint versions up to and including 1.2.16, and one for OctoPrint versions after 1.2.16 which come with a new method on the SettingsPlugin API to allow defining restricted paths.