Non-privileged user can't delete authorization tokens.
Under the following conditions
- A link exists in the database with
head_uuid=null and link_class='permission', owned by (say) admin
- Non-admin user creates an ApiClientAuthorization (e.g., with the "share" button on the Workbench "show collection" page)
- Non-admin user deletes the ApiClientAuthorization (e.g., "unshare")
Result: Permission denied. "dependent: destroy" hook tries to delete all links with head_uuid=null.