403 leaks information about whether the requested project exists.
This approach for projects is now similar to how we treat other
nested objects, where we retrieve from an authorized dataset,
instead of retrieving the object and then (hopefully) performing
authorization on it. It should also be faster as it eliminates
an unnecessary query.
Unfortunatley, the route specs mock Project.[] in quite a few
places. To avoid a bunch of spec churn, add Clover.authorized_project,
and change the mocking to mock that instead.
As a consequence of this handling, deleting an unauthorized project
now returns 204 instead of 403. I believe that is how deletion
of other unauthorized objects is handled, so the behavior is now
more consistent, but it is something to be aware of.
c3e89fa568