fix(ui): hide header upload button from non-writers (#696)

The header "Hochladen" link was gated only on {#if data?.user}, so a
reader without WRITE_ALL saw it, clicked it, and got bounced by the
server-side redirect in documents/new — confusing friction on the main
read journey. Gate it on data.canWrite (already on the layout data).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/+layout.svelte

@@ -75,7 +75,7 @@ const userInitials = $derived.by(() => {
 
 					<!-- Right Side -->
 					<div class="flex items-center gap-3">
-						{#if data?.user}
+						{#if data?.user && data.canWrite}
 							<a
 								href="/documents/new"
 								aria-label={m.upload_action()}

frontend/src/routes/layout.svelte.spec.ts

@@ -83,6 +83,13 @@ describe('Layout – upload link', () => {
 		const link = page.getByRole('link', { name: /Hochladen|Upload|Subir/i });
 		await expect.element(link).toHaveAttribute('href', '/documents/new');
 	});
+
+	it('is hidden for a user without WRITE_ALL', async () => {
+		render(Layout, { data: makeData({ canWrite: false }), children: emptySnippet });
+		await expect
+			.element(page.getByRole('link', { name: /Hochladen|Upload|Subir/i }))
+			.not.toBeInTheDocument();
+	});
 });
 
 // ─── Dropdown ─────────────────────────────────────────────────────────────────