Non-administrators shouldn't be able to edit labels

[osteele]

An authenticated community member who is not an administrator should not have access to the non-GET methods of the /labels resource.

The first phase of this could be to replace the @edit_auth_required decorators above def post, def put, and def delete (but not def get) in label_resources.py by a new decorator @admin_auth_required, and implement a new admin_auth_required decorator:

def admin_auth_required(f):
    "Decorates f to raise an HTTP UNAUTHORIZED exception if the auth check fails."
    @wraps(f)
    def wrapped(*args, **kwargs):
        if os.environ.get("ALLOW_ADMIN_ACCESS", None) == "all":
            abort(401)
        return f(*args, **kwargs)
    return wrapped

and add os.environ["ALLOW_ADMIN_ACCESS"] = "all" to tests/context.py.

This will make these methods inaccessible to when the ALLOW_ADMIN_ACCESS environment variable is clear — which will be the case on production (and currently dev and staging). But this is good! And no-one is currently using these methods.

236 (which should be done after this) restores access to authenticated administrators.

ALLOW_ADMIN_ACCESS is a stop-gap measure, to maintain the tests.

Additional work, on the test cases, would be required in order to test this change. Since this work might be throwaway work given #236, I consider it optional for the completion of this task.