Rather than use user.is_authenticated, rely on certain permissions being
set for the user. This allows us to open up the developer side and not
assume everyone is a package maintainer.

Allow all logged-in users to still view todo lists, but don't show the
complete/incomplete links (only the text) unless they are allowed to
mess with todo lists.

Signed-off-by: Dan McGee <dan@archlinux.org>