Refactoring of base roles

Currently, base roles (i.e. roles that every non-service user is automatically added to) are defined by name in the config attribute ROLES_BASEROLES and users are added to base roles when they are created or edited in the admin interface. When ROLES_BASEROLES is changed, existing users are not automatically updated. The current implementation also creates many special cases in the code.

With this change, roles have the new attribute "is_default" in the database. This attribute can be changed in the admin interface. Changing it updates all affected users. Non-service users are never explicitly added as members to base roles. Base role permissions are considered implicitly instead (similar to roles included by other roles).

This change requires manual intervention: After updating, the base roles must be marked as such manually in the web interface.