Secure api "proxy" controller

[didoda]

This introduces some security checks for internals /api/{action} calls.

Request on urls like /api/* from browser will be blocked with 401 Unauthorized, because /api is supposed to be used as internal proxy from ajax calls.

When no user is authenticated or user has no roles: 401 Unauthorized.

When user has role admin, skip all checks.

When user has non admin roles, this checks {action} considering allowed methods for the user: data is retrieved from BEdita api, to consider which methods are allowed per action; you can customize the "blocking" logic, with a configuration ApiProxy.blocked. An example follows

[
    'ApiProxy' => [
        'blocked' => [
            'objects' => ['GET', 'POST', 'PATCH', 'DELETE'],
            'users' => ['GET', 'POST', 'PATCH', 'DELETE'],
        ],
    ],
],

This introduces some refactor to avoid using api/objects and api/users, by using specific routes, with "safe" data (no relationships, no included, etc.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.65%. Comparing base (fe029b4) to head (9653eb1).
Report is 11 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##             master    #1224    +/-   ##
==========================================
  Coverage     99.65%   99.65%            
- Complexity     1321     1339    +18     
==========================================
  Files            97       98     +1     
  Lines          5151     5252   +101     
==========================================
+ Hits           5133     5234   +101     
  Misses           18       18            

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.