Modular Security Architecture: Phase 3

Refactor current authorization (aka "permission enforcement") as a module; some refactorings needed in REST resource classes b/c current enforcement not following best practices; 100% backwards compatible, authorization as before, same database tables.