API Security

- added APIAccess class to define access levels of API Endpoints (permissions)
- use "mailpoet_token" for all nonce (just as before)
- merged setupPublic/setupAdmin methods in API in order to avoid duplication
- check permission if access level is not all
- fixed ABSPATH check in some classes

lib/Cron/Workers/Scheduler.php

@@ -13,6 +13,8 @@ use MailPoet\Newsletter\Scheduler\Scheduler as NewsletterScheduler;
 if(!defined('ABSPATH')) exit;
 require_once(ABSPATH . 'wp-includes/pluggable.php');
 
+require_once(ABSPATH . 'wp-includes/pluggable.php');
+
 class Scheduler {
   public $timer;
   const UNCONFIRMED_SUBSCRIBER_RESCHEDULE_TIMEOUT = 5;