This introduces the idea of a public API endpoint, one that doesn't need
an access token or a logged in user session. There aren't yet any
endpoints like this, but there are plans to add some so this lays the
groundwork.

I also cleaned up the permissions checks on some of the existing
endpoints, so that you'll get a 401 and sane error response rather than
a 500 error or empty data now that you can hit them when not logged in.

Also standardized the unauthorized json response. It's now more uniform
in structure, and differentiates between not authenticated and not
authorized. (403 might be more appropriate here, but i'm not going there now)

closes CNVS-4856

test plan: there's not yet an api endpoint you can successfully use
without authentication, but you can hit some of the modified endpoints
such as /users/self/groups or /courses/X/tabs without authentication and
verify that you get a 401 response with a relevant json error message.

Change-Id: I63b12628e95b7e2d9aa06c311078bc8a5170dad4
Reviewed-on: https://gerrit.instructure.com/19008


Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Clare Hetherington <clare@instructure.com>
Product-Review: Brian Palmer <brianp@instructure.com>