Fix API Scoping

What does this MR do?

• API scopes are declared in before blocks
• This causes subtle ordering bugs, since before blocks in parent classes are run before those in child classes
• Description of exact bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/33580#note_32969050
• This MR attempts to fix this by moving declared scopes to the class level, so something like API::API.scopes would return [:api], while API::Users.scopes would return [:read_user].

Are there points in the code the reviewer needs to double check?

• Any downsides to storing @scopes at the class level?
• Is it worth making each scope a class, rather than a hash?
• Any edge cases I haven't considered?

References

• Closes #33580 (closed)
• Closes #33022 (closed)
• Related EE merge request: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2338

Tasks

• Investigation
• Implementation
  • Move scope declarations to the class level
  • Allow conditions like if request.get?
  • Make sure the declarations run only once. @scopes must not grow with every request.
  • Refactoring
• Tests
  • Added
    • Test all endpoints calling out to allow_access_with_scope
      • Personal access tokens
      • Doorkeeper tokens
    • Access token validation service
  • Passing
• Meta
  • CHANGELOG entry created
  • API support added
  • Branch has no merge conflicts with master
  • Squashed related commits together
  • Check for clean merge with EE
• Review
  • Reviewer
  • Maintainer
• Wait for merge