Follow-up from "pages for subgroups" - refactor access control tests

The following discussion from !123 (merged) should be addressed:

• @nolith started a discussion: (+2 comments)

  I'm not a big fan of this.

  maybe something like the following will increase readability, but I'm not 100% sure.

  	testServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  		switch r.URL.Path {
  		case "/oauth/token":
  			assert.Equal(t, "POST", r.Method)
  			w.WriteHeader(http.StatusOK)
  			fmt.Fprint(w, "{\"access_token\":\"abc\"}")
  		case "/api/v4/user":
  			assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
  			w.WriteHeader(http.StatusOK)
  		default:
  			switch {
  			case allowedProjects.MatchString(r.URL.Path):
  				assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
  				w.WriteHeader(http.StatusOK)
  			case deniedProjects.MatchString(r.URL.Path):
  				assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
  				w.WriteHeader(http.StatusUnauthorized)
  			case invalidTokenProjects.MatchString(r.URL.Path):
  				assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
  				w.WriteHeader(http.StatusUnauthorized)
  				fmt.Fprint(w, "{\"error\":\"invalid_token\"}")
  			default:
  				t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path)
  				w.Header().Set("Content-Type", "text/html; charset=utf-8")
  				w.WriteHeader(http.StatusNotFound)
  			}
  		}
  	}))