Add the ability to enable / disable the whitelist globally

[myssto]

As we move towards a beta release, it makes sense to want to have a way to enable and disable the whitelist we have activated instead of granting all users the whitelist claim or remove the attributes from the controllers completely. Using the new WhitelistEnforcementMiddleware, the behavior can be preserved for when we need to restrict access, but also disabled when we need to do so. The middleware asserts that all requests have either the whitelist, admin, or system claim when active. Activation of this middleware is determined through a new config value Auth.EnforceWhitelist.

Since this pull edits all of the controllers anyway, I decided to include the relevant changes for 232 as well.

Closes #232

[hburn7]

Tested, seems to work as expected.