Add a current_user_can check to our cache clearing method

[dkotter]

Description of the Change

In #90 we introduced an admin setting that allows on-demand clearing of avatar cache, useful for situations where image sizes have changed and SLA still has the old image sizes stored.

This setting outputs a button that when clicked, fires an AJAX request to kick off the cache clearing process. This request does pass and validate a proper nonce but doesn't have any user capability check. This means in theory anyone that has a user account on the site can generate a nonce and make a direct request to the proper AJAX endpoint to trigger that cache clearing.

This PR fixes that by adding a current_user_can( 'manage_options' ) check, as only users with that capability can access the Settings > Discussion page to begin with and thus should be the only ones that can initiate this cache clearing.

How to test the Change

1. Go to Settings > Discussion
2. Scroll down to the Clear local avatar cache setting and click the Clear cache button
3. Ensure this process works as expected

The test above ensures things still work as expected but does not verify things are more secure. If desired, can provide details on how to test that, which requires making direct requests to the AJAX endpoint.

Changelog Entry

Security - Run a user capability check before we clear the avatar cache.

Credits

Props @dkotter, @truonghuuphuc

Checklist:

• I agree to follow this project's Code of Conduct.
• I have updated the documentation accordingly.
• I have added Critical Flows, Test Cases, and/or End-to-End Tests to cover my change.
• All new and existing tests pass.