extensionSystem: Support locking down extension installation

Currently extensions can only be locked down completely by
restricting the `enabled-extensions` key via dconf.

This is too restrictive for environments that want to allow users
to customize their system with extensions, while still limiting
the set of possible extensions.

To fill that gap, add a new `allow-extension-installation` setting,
which restricts extensions to system extensions when disabled.

As the setting is mainly intended for locking down by system
administrators, there is no attempt to load/unload extensions
on settings changes.

Part-of: <https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3180>

js/ui/extensionSystem.js

@@ -86,8 +86,11 @@ export class ExtensionManager extends Signals.EventEmitter {
 
     get updatesSupported() {
         const appSys = Shell.AppSystem.get_default();
-        return (appSys.lookup_app('org.gnome.Extensions.desktop') !== null) ||
-               (appSys.lookup_app('com.mattjakeman.ExtensionManager.desktop') !== null);
+        const hasUpdatesApp =
+            appSys.lookup_app('org.gnome.Extensions.desktop') !== null ||
+            appSys.lookup_app('com.mattjakeman.ExtensionManager.desktop') !== null;
+        const allowed = global.settings.get_boolean('allow-extension-installation');
+        return allowed && hasUpdatesApp;
     }
 
     lookup(uuid) {
@@ -745,7 +748,8 @@ export class ExtensionManager extends Signals.EventEmitter {
 
         let perUserDir = Gio.File.new_for_path(global.userdatadir);
 
-        const extensionFiles = [...FileUtils.collectFromDatadirs('extensions', true)];
+        const includeUserDir = global.settings.get_boolean('allow-extension-installation');
+        const extensionFiles = [...FileUtils.collectFromDatadirs('extensions', includeUserDir)];
         const extensionObjects = extensionFiles.map(({dir, info}) => {
             let fileType = info.get_file_type();
             if (fileType !== Gio.FileType.DIRECTORY)