Better handling for permission policies on limited admins.

If a limited admin user didn't belong to any groups with the specified
permission, then the policy scope could return all results, rather than
limiting the results to no results. Luckily, each place these
policy scopes were used were also followed by the controller
individually checking the policy/permission of individual results, so
the unpermitted results ended up getting stripped. This scenario is also
tested for in the "assert_default_admin_permissions" tests that apply to
our existing API controllers. So while this doesn't change existing
behavior, making sure the query returns nothing from the database to
begin with seems like a better approach (most of the other policies were
already doing this).

src/api-umbrella/web-app/app/policies/admin_group_policy.rb

@@ -9,7 +9,11 @@ def resolve
           api_scope_ids << api_scope.id
         end
 
-        scope.in(:api_scope_ids => api_scope_ids)
+        if(api_scope_ids.any?)
+          scope.in(:api_scope_ids => api_scope_ids)
+        else
+          scope.none
+        end
       end
     end
   end

src/api-umbrella/web-app/app/policies/admin_policy.rb

@@ -10,7 +10,12 @@ def resolve
         end
 
         group_ids = AdminGroup.in(:api_scope_ids => api_scope_ids).map { |g| g.id }
-        scope.in(:group_ids => group_ids)
+
+        if(group_ids.any?)
+          scope.in(:group_ids => group_ids)
+        else
+          scope.none
+        end
       end
     end
   end

src/api-umbrella/web-app/app/policies/api_policy.rb

@@ -19,7 +19,11 @@ def resolve(permission = "backend_manage")
           }
         end
 
-        scope.or(query_scopes)
+        if(query_scopes.any?)
+          scope.or(query_scopes)
+        else
+          scope.none
+        end
       end
     end
   end