Refactor Group and User ACLs

These ones are very simple, just a small update to make them match the
style of the others as well.

tildes/tildes/models/group/group.py

@@ -3,7 +3,7 @@
 from datetime import datetime
 from typing import Any, Optional, Sequence, Tuple
 
-from pyramid.security import Allow, Authenticated, DENY_ALL, Everyone
+from pyramid.security import Allow, Authenticated, Deny, DENY_ALL, Everyone
 from sqlalchemy import (
     Boolean,
     CheckConstraint,
@@ -79,14 +79,23 @@ class Group(DatabaseModel):
 
     def __acl__(self) -> Sequence[Tuple[str, Any, str]]:
         """Pyramid security ACL."""
-        acl = [
-            (Allow, Everyone, 'view'),
-            (Allow, Authenticated, 'subscribe'),
-        ]
+        acl = []
 
+        # view:
+        #  - all groups can be viewed by everyone
+        acl.append((Allow, Everyone, 'view'))
+
+        # subscribe:
+        #  - all groups can be subscribed to by logged-in users
+        acl.append((Allow, Authenticated, 'subscribe'))
+
+        # post_topic:
+        #  - only admins can post in admin-posting-only groups
+        #  - otherwise, all logged-in users can post
         if self.is_admin_posting_only:
             acl.append((Allow, 'admin', 'post_topic'))
-        else:
+            acl.append((Deny, Everyone, 'post_topic'))
+
         acl.append((Allow, Authenticated, 'post_topic'))
 
         acl.append(DENY_ALL)

tildes/tildes/models/user/user.py

@@ -127,11 +127,14 @@ class User(DatabaseModel):
 
     def __acl__(self) -> Sequence[Tuple[str, Any, str]]:
         """Pyramid security ACL."""
-        acl = [
-            (Allow, Everyone, 'view'),
-        ]
+        acl = []
+
+        # view:
+        #  - everyone can view all users
+        acl.append((Allow, Everyone, 'view'))
 
-        # anyone can message a user except themself
+        # message:
+        #  - anyone can message a user except themself
         acl.append((Deny, self.user_id, 'message'))
         acl.append((Allow, Authenticated, 'message'))