Read Access is much too leaky

(Bug, To be Fixed , Priority: High, Test Status: No automated tests yet , Reported By Justin du Coeur, )
Access Control
Summary: At the moment, given a Thing that you don't have Read access to, you can still see it in listings and such. This implicitly makes security far too haphazard -- I just plain don't trust the read security yet.
We need to fundamentally shift the model, to make it so that, if you can't see a particular Thing, you can't even see that it exists. That means that, instead of enforcing this security at the business-code level, we should be enforcing it at the SpaceState itself.
Checking every calls to state.anything() or state.descendants() will be a PITA, though. So the smart plan is probably to deal with this at the UserSession boundary. At the same time when we enhance the state to add the User Values, we should remove all Things that this User cannot see. That way, every time the user calls GetThing, the state that they get back is properly sanitized before they can do anything with it.
This probably can't be done in less than O(n) time, sadly, since each Thing can override its Model. But looking at the tree as a tree might help a lot, if we treat instance overrides as an exception instead of examining each Thing completely sui generis -- we could assume that the instance inherits from Space and Model unless we find Who Can Read set on it.
Note that the actual transformation of the state probably belongs under AccessControl -- UserSession should call that, rather than doing nasty security code itself.