listing permissions / roles requires api_key

Listing permissions or roles requires an api_key. For an app using the API this means that a user has to log in first or an api_key needs to be provided for it read those. Seems overly complicated as just listing them will no cause harm i think …
