Prevent crafted URLs from circumventing data access protection

[lcreid]

A logged in user can hand-craft URLs to try to access other users' data. We need tests on all routes/controllers that are vulnerable, and to fix the code if they are vulnerable.

At the time of writing, the vulnerable controllers are:

• Cf0925sController

• InvoicesController

MyProfileController by definition works against the current_user, so it's safe (at least for this issue).

Criteria for vulnerable controllers:

• A route that includes a model ID, because that means someone could hand craft a URL with whatever ID they want

• A find or query method against a class name, e.g. FundedPeople.find(params[:funded_person_id]), because the query isn't automatically being limited to the current user

[lcreid]

Completed in my local security branch. Just waiting for a time to merge.