Instances of models should not matter when checking permissions

[askvortsov1]

**Ref #2092 **

Changes proposed in this pull request:

So right now, the permission system has, essentially 4 layers, checked in the following order.

1. Run through all relevant policies. If non-null returned, return that. Else, continue.
2. If the user is in a group that has the given permission and the permsission is not being evaluated on an instance of a model, return true. Else, continue.
3. If the user is in the admin group, return true. Else, continue.
4. Return false.

My proposed changes to the actual process are:

1. Have an order of precedence for step (1), that being forceDeny, forceAllow, deny, allow. This solves the issue of dependence on extension boot order,
2. Don't disqualify step 2 if the permission is being evaluated on an instance of a model. I'm not really sure why that was there in the first place.

• From Refactoring Policies #2092 (comment)

This PR does (2) above, by not disqualifying a user's group having a permission if the permission check is called on an instance. This system isn't intuitive, and was set up in a commit titled "fix permissions being incorrectly granted" (which tells us nothing) back from 2015. Looking at the history at the time, this logic was called BEFORE policies were called, which might explain the changes. Now that policies are considered first, this is no longer necessary.
90def3f

Confirmed

• Frontend changes: tested on a local Flarum installation.
• Backend changes: tests are green (run composer test).

[luceos]

I looked at the git history, but see no reason why this check was added in the first place. As I cannot come up with a scenario why this should matter I think it's okay to merge.

[franzliedke]

Nice digging. 👏