Support for more granular authorization

[nikosd]

We would like to be able to have authorization logic per "role" or at least per "user". Some example rules:

• User X (or user who belongs to group Y) can flag proposals as "abusive" but all other users can not
• User X (or user who belongs to group Y) can change the submission dates
• All registered users can submit proposals
• All registered users can edit their own proposals
• All registered users can view published proposals

etc...

I'm personally familiar with cancan but any other similar "framework" would be totally ok if it's robust enough.

[nikosd]

It's almost ready. What's troubling me is the disabled selections controller with the commented out tests and routes... Maybe we should integrate somehow the 'modal' branch from upstream vestibule.