Rework capabilities to avoid assumptions about missing tokens

The logic about missing tokens implying logged in users (and that
all logged in users have access to any method protected by a token
capability) is correct. However, I believe it is both confusing and
brittle, and leaves a security-related door ajar for future foot-gun
incidents.

Instead, apply Abilities as normal, and keep the Capabilities
involvement only for situations where a token is provided. This
reduces the cognitive burden when considering Abilities in isolation.

test/models/capability_test.rb

@@ -19,7 +19,7 @@ class UserCapabilityTest < CapabilityTest
     # a user with no tokens
     capability = Capability.new create(:user), nil
     [:read, :read_one, :update, :update_one, :delete_one].each do |act|
-      assert capability.can? act, UserPreference
+      assert capability.cannot? act, UserPreference
     end
 
     # A user with empty tokens