Updated policies to rely on ProjectUser records

[begedin]

What's in this PR?

Closes #717, progress on #718, progress on #725

I tried to keep things simple. Due to the way the system works, we can't really have a case where a user is a project owner, but not an organization owner. We also can't really, or should not, have a case where there's a ProjectUser record with the role "owner", but the associated project.owner_id is not set to the associated user.id.

With that in mind, when checking policies:

• If I'm checking for an organization-related record, I check organization.owner_id.
• If I'm checking for a project-related record, I first check the project.owner_id. If that fails, then I check the associated ProjectUser record

This allowed me to simplify a few things.

Additionally, in all affected policies, I started removing clauses for site admin users. I don't think there's a point. We don't have an admin interface, nor do we make any other use of it. It confuses contributors and bloats the code.

When we do add an admin interface, I don't think we can even be reasonably sure we'll be using the same authorization layer. It might be easier to just make a simple one just for that interface.

Also, with the changes, I had to remove some parts of the organization membership code, but not all of it. The alternative was to spend time commenting it out, or to fix tests that are going to get removed anyway.

References

Fixes #717
Progress on: #718, #725