ISEC issue regarding unclear access controls

It is just an informational issue, but a refactor makes sense.

The authorize method only ensures the user is authenticated, not that they have access to whatever is being attempted.

In the user controller, the fetch_user method handles authorization. In other parts of the web app, the authorization is handled in different manners. This should be more consistent throughout.

(from redmine: created on 2013-08-29, closed on 2014-05-05)

• Relations:
  • parent #3516