Don't promote default allow

App controller isAllowed should, absolutely always default to false.
Any controller overriding isAuthorized should fallback to calling the
parent function.
This also implies optimizing the code flow for normal users - not
optimizing the code flow for admin user - which is effectively how the
previous code worked.