API Security

- added APIAccess class to define access levels of API Endpoints (permissions)
- use "mailpoet_token" for all nonce (just as before)
- merged setupPublic/setupAdmin methods in API in order to avoid duplication
- check permission if access level is not all
- fixed ABSPATH check in some classes

lib/API/Endpoints/Subscribers.php

@@ -2,6 +2,7 @@
 namespace MailPoet\API\Endpoints;
 use \MailPoet\API\Endpoint as APIEndpoint;
 use \MailPoet\API\Error as APIError;
+use \MailPoet\API\Access as APIAccess;
 
 use MailPoet\Listing;
 use MailPoet\Models\Subscriber;
@@ -15,6 +16,11 @@ use MailPoet\Models\StatisticsForms;
 if(!defined('ABSPATH')) exit;
 
 class Subscribers extends APIEndpoint {
+
+  public $permissions = array(
+    'subscribe' => APIAccess::ALL
+  );
+
   function get($data = array()) {
     $id = (isset($data['id']) ? (int)$data['id'] : false);
     $subscriber = Subscriber::findOne($id);