FEATURE: user API now contains scopes so permission is granular

previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.

app/views/user_api_keys/new.html.erb

@@ -1,5 +1,5 @@
 <h1><%= t "user_api_key.title" %></h1>
-<div>
+<div class='authorize-api-key'>
 <% if @no_trust_level %>
   <h3>
   <%= t("user_api_key.no_trust_level") %>
@@ -10,7 +10,14 @@
   </h3>
 <% else %>
 <p>
-  <%= t("user_api_key.description", application_name: @application_name, access: @access_description) %>
+  <%= t("user_api_key.description", application_name: @application_name) %>
+</p>
+<p>
+  <ul class='scopes'>
+    <%- @localized_scopes.each do |scope| %>
+      <li><%= scope %></li>
+    <%- end %>
+  </ul>
 </p>
 <%= form_tag(user_api_key_path) do %>
   <%= hidden_field_tag 'application_name', @application_name %>
@@ -20,6 +27,7 @@
   <%= hidden_field_tag 'auth_redirect', @auth_redirect %>
   <%= hidden_field_tag 'push_url', @push_url %>
   <%= hidden_field_tag 'public_key', @public_key%>
+  <%= hidden_field_tag 'scopes', @scopes%>
   <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger', id: 'submit' %>
 <% end %>
 <script>