added authorization to settings/plans and settings/projects

added auth and removed json from project_groups controller. additionally added constraint to projects and plans controllers that all actions must be authenticated through pundit

removed unused json responses and added auth to plans controller

removed json and added authorization to projects controller

moved authorization logic from comments controller to policy file. Additionally removed unused crud methods

moved logic for authorization out of answers controller into the policy

removed authorization from home-controller as some users will not be logged in when request fielded

forced auth on organisations_controller. TODO: re-check parent, children, and templates after AJAX removed

added auth to home controller

forced all actions to be authenticated through pundit

added ability to grant permissions to other users

bugfixes to auth

finished implimenting new authorization scheme in dmptemplates

updated authorization for all controllers ...

-changed from passing through records as feature not supported
-changed 403 error to better reflect what's happening
-added scope to many of the indexes
-added organisation-scope to requests from old org-admin roles
-renamed guidance_groups_policy to guidance_group_policy.rb

added pundit auth to dmptemplates controller

added pundit auth to guidance groups

added pundit auth to guidances

added pundit auth to organisations controller

added pundit authorization to users

proof of concept for pundit ...

-got the pundit policy file working
-verified that it blocked/allowed users with correct permissions
-fixed a bug in user model where the magic strings had been poorly defined
-