Normal (non-administrator) users can delete their own containers outside of the API server

[runleveldev]

We have given VM.Allocate privileges to standard users on their own LXCs allowing them to delete them without contacting the API server. This causes issues with reused ctids on the Proxmox. Should we:

1. Remove the VM.Allocate permission forcing users to use the API server to delete their containers? OR
2. Add a hook script that, when a container is deleted, contacts the API server for deletion from the database?