Implement permissions checks on server back end.

We have a single-page app for teaching undergraduate experimental psychology, in which there are a number of different user roles, such as student, instructor, administrator, etc. Each user can create objects, and specify who should be able to access them. Currently, this is all handled in the front-end when determining what to present to the users, but the back-end also needs to implement permission checks to ensure that a malicious user cannot obtain data that they should not have access to by constructing their own AJAX request. There are a couple of places in the back-end code where this is noted in a comment, and a warning is displayed to the console, but some additional design work is probably required to facilitate this task. Currently, every object has an owner id property, but that is all. One approach would be to create a new PermissionSpec object that would contain the sharing information for each object that has an instance as a property.