security: block non-admin roles from AdminLoginView

AdminLoginView previously accepted any valid credential regardless of
role. partner_manager / partner / partner_staff / partner_customer /
customer accounts could obtain admin JWTs and land on admin.eventifyplus.com,
where protected pages would render generic "not found" empty states.

Now returns 403 for those roles unless the user is a superuser or has an
attached StaffProfile. Writes an auth.admin_login_failed audit row with
reason=non_admin_role.

Closes gap reported for novakopro@gmail.com on /partners/3.

CHANGELOG.md

@@ -5,6 +5,13 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), version
 
 ---
 
+## [1.14.1] — 2026-04-21
+
+### Security
+- **`AdminLoginView` now rejects non-admin roles** — users with `role` in `{customer, partner, partner_manager, partner_staff, partner_customer}` can no longer obtain an admin JWT via `POST /api/v1/auth/login/`. Returns HTTP 403 with `{'error': 'This account is not authorized for the admin dashboard.'}` and writes an `auth.admin_login_failed` audit row with `reason: 'non_admin_role'`. Superusers and any user with an attached `StaffProfile` remain allowed regardless of role, so existing admin staff are unaffected. Closes the gap where partner_manager accounts (e.g. `novakopro@gmail.com`) could log into `admin.eventifyplus.com` and hit protected routes
+
+---
+
 ## [1.14.0] — 2026-04-21
 
 ### Added