Use pundit for authorization

[leesharma]

Managing and testing our authorization logic is getting complicated, and it'll get more complicated as users are allowed to view their user pages, etc. Pundit makes that simpler by extracting authorization into policy objects. I think this change makes sense, but we should discuss whether this is the route we want to take.

• Do you all think it's worth adding a dependency to separate out auth logic?

[leesharma]

This PR isn't ready–I need to incorporate the changes from the last PR.

[micahbales]

Looks good. Great idea to use Pundit to simplify our authorizations.