Implement access control for resources

[bchrobot]

The design for resource access control is complete, but it has not implemented yet.

[bchrobot]

Going to use an RBAC system in the style of xaprb's posts [1, 2] on the subject.

Main differences to note:

1. Groups (e.g. Organizations) have to be dynamic. Instead of a hard-coded bit-packed list, we will add an additional two joins to the FROM clause to enumerate a user's groups.
2. For simplicity, there will not be any hard-coded UNIX-style permissions. If necessary, these will be included as t_actions in the database.
3. We may be able to get away with hardcoded t_actions, t_statuses, t_implemented_actions for now. I'm not sure yet whether this will end up being more of a burden, however, as it may be optimal to let the SQL engine do the work with them.
4. The mix of SQL and NoSQL means that we will need a way to jump between the two.
   It may be enough to:
   • have a common way getting tablename or equivalent for both SQL and NoSQL ORM classes.
   • fetch obj.status from NoSQL-land and pass as an argument to the query against t_permissions
     although the upfront owner/group checks (before going to t_permissions) may need to check