🔒️(backend) remove accesses list from room serializer for non-admins

Restrict access to room user permissions data by excluding this information
from room serializer response for non-admin/owner users. Previously all
members could see complete access lists. Change enforces stricter information
access control based on user role.

Spotted in #YWH-PGM14336-5.

src/backend/core/api/serializers.py

@@ -120,7 +120,7 @@ class RoomSerializer(serializers.ModelSerializer):
         role = instance.get_role(request.user)
         is_admin = models.RoleChoices.check_administrator_role(role)
 
-        if role is not None:
+        if is_admin:
             access_serializer = NestedResourceAccessSerializer(
                 instance.accesses.select_related("resource", "user").all(),
                 context=self.context,