Description of problem:
The common assumption is that what user is allowed to do is an intersection of what the user's permissions allow and what organizations and locations the user belongs to, but currently the authorize helper (and friends) only deals with permissions. The goal of this issue is to make that assumption hold.

How reproducible:

always

Is this issue a regression from an earlier version:

No

Steps to Reproduce:

1. Have orgnizations org1 and org2
2. Create a user 'u'
3. Assign the user to org1
4. Create domain 'd1' in org1
5. Create domain 'd2' in org2
6. Create a custom role, do not set any taxonomies on the role, add view_domains permission to it
7. In rails console:

> User.current = User.find_by(login: 'u')
-----B<-----SNIP-----B<-----

> ::Domain.unscoped.authorized(:view_domains).map(&:name)
['d1', 'd2']

Actual behavior:
The console query finds both domains

Expected behavior:
The console query finds only one domain

Katello-flavored steps to reproduce:
1) Have orgnizations org1 and org2
2) Create a user 'u'
3) Assign the user to org1
4) Create product 'p1' in org1
5) Create product 'p2' in org2
6) Create a custom role, do not set any taxonomies on the role, add view_products permission to it
7) In rails console:

> User.current = User.find_by(login: 'u')
-----B<-----SNIP-----B<-----

> ::Katello::Product.authorized(:view_products).map(&:name)
['p1', 'p2']

Business Impact / Additional info:
On Foreman resources, there is a default scope that performs the organization and location scoping, hence the unscoped, but it is not part of authorization checks.