add accessControl, only allow to read data from own organization

[swerder]

This changes forces that only allowed values can be accessed on all api endpoints.
Some logic before was only "frontend" security/filtering.
The existing backend security from policies are merged to the new middleware, the one in controllers are leave inplace.

added global middleware "globalSecurity":

• to remove filters and population query param
• to verify/force route bases Middleware "accessControl" is executed on all api endpoints

added middleware "accessControl":

• is added to all routes
• define api type and context where run (as config)
• check context aware the rights for shared accessToken or normal login (only access data of allowed Operation/Organization)
• verify not modify/create element to belong to other Operation/Organization

filters/population not longer allowed:

• they would allow to bypass the new "accessControl" managed security filters
• add new endpoint forLogin on Organization
• add "state" and "operationId" query param to add specific filter (inside "accessControl")

existing policies are removed:

• the logic are now central handled in "accessControl"

organization on logged-in user object:

• the organization is always loaded / accessible for logged-in user in ctx.state.user.organization

websocket:

• don't leak encrypted password of logged-in / shared user

For this change also changes on the frontent/client part are required:
zskarte/zskarte-client#393