FEATURE: user API now contains scopes so permission is granular

previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.

spec/fabricators/user_api_key_fabricator.rb

@@ -1,8 +1,6 @@
 Fabricator(:readonly_user_api_key, from: :user_api_key) do
   user
-  read true
-  write false
-  push false
+  scopes ['read']
   client_id { SecureRandom.hex }
   key { SecureRandom.hex }
   application_name 'some app'