Fixes#4861
Since the around_action is defined before authorize_resource is called,
the handler needs to pass on the CanCan::AccessDenied exception.
I've added the timeouts where I think they were missing (e.g. UserPreferencesController)
but I've kept the exception for changeset#upload and traces#create
This avoids constructing xml by hand in both the controller and
the model, and opens the way for other rendering in future.
The complexity of deciding which point goes where, along with revisiting
previous tracks and tracksegs means that I've broken it down into
two parts - sorting the points into the right trksegs is done first,
before rendering them all as xml. I couldn't find a way to allow
revisiting using the builder.
It doesn't make a huge difference, since rails caches all the results
of the queries generated by point.trace lookups, but at least it cuts
down on the logs.
Now that we have all api controllers inheriting from a common base,
it's easier to override the deny_access handler without having to
switch between both.
Fixes#2064
