DEV: Make Guardian#can_see? default to false for unwatched objects (#20412)

When invoking e.g. `can_see?(Foo.new)`, the guardian checks if there's a method `#can_see_foo?` defined and if so uses that to determine whether the user can see it or not.

When such a method is not defined, the guardian currently returns `true`, but it is probably a better call (pun intended) to make it "safe by default" and return `false` instead. I.e. if you can't explicitly see it, you can't see it at all.

This change makes the change to `Guardian#can_see?` to fall back to `false` if no visibility check method is defined.

For `#can_see_user?` and `#can_see_tag?` we don't have any particular logic that prevents viewing. We previously relied on the implicit `true` value, but since that's now change to `false`, I have explicitly implemented these two methods in `UserGuardian` and `TagGuardian` modules. If in the future we want to add some logic for it, this would be the place.

To be clear, **the behaviour remains the same**, but the `true` value is now explicit rather than implicit.

lib/guardian/tag_guardian.rb

@@ -2,6 +2,10 @@
 
 #mixin for all guardian methods dealing with tagging permissions
 module TagGuardian
+  def can_see_tag?(_tag)
+    true
+  end
+
   def can_create_tag?
     SiteSetting.tagging_enabled &&
       @user.has_trust_level_or_staff?(SiteSetting.min_trust_to_create_tag)

lib/guardian/user_guardian.rb

@@ -118,6 +118,10 @@ module UserGuardian
     user && can_administer_user?(user)
   end
 
+  def can_see_user?(_user)
+    true
+  end
+
   def can_see_profile?(user)
     return false if user.blank?
     return true if !SiteSetting.allow_users_to_hide_profile?