Add example for scopes-based authorization

[bkoelman]

This PR adds an example for using scopes-based authorization in a generic way.

For simplicity in this sample, accessing relationships requires access to both the left and right sides of the relationship. An alternative approach could be to define relationship-specific scopes, such as read:relationship:movies-genre. Another limitation of this sample is that it only supports access checks on resource types. For example, consider a resource type TodoItem that contains an owner (type Person) and an assignee (type Person). Now it's not possible to allow fetching/updating the assignee while preventing to fetch/update the owner.

Just so you know, this is only a sample. Personally, I'd never use such fine-grained scopes because it quickly becomes an administrative nightmare. What I would do is define scopes around functional areas (like the GitHub API does), and then directly annotate controller action methods with them.

Closes #1300.

QUALITY CHECKLIST

• Changes implemented in code
• Complies with our contributing guidelines
• Adapted tests
• N/A: Documentation updated

[codecov]

Codecov Report

Merging #1303 (968e35b) into master (396123c) will not change coverage.
The diff coverage is n/a.

❗ Current head 968e35b differs from pull request most recent head 9691a04. Consider uploading reports for the commit 9691a04 to get more accurate results

@@           Coverage Diff           @@
##           master    #1303   +/-   ##
=======================================
  Coverage   96.82%   96.82%           
=======================================
  Files          21       21           
  Lines         598      598           
=======================================
  Hits          579      579           
  Misses         19       19