Bug in create_personal_snippet ability

Summary

The create_personal_snippet ability is set inside the PersonalSnippetPolicy. This means that the ability is scoped under a Snippet object. Nevertheless, this ability should be outside that policy since it represents the ability to create a new Snippet (for example to show the Create Snippet button).

Besides this, the New Snippet button doesn't check that ability, therefore it's shown even when the user doesn't have enough access rights.

Furthermore, in the SnippetsController we don't check this ability either for new and create actions.

At the moment, we don't seem to have many problems regarding this because the create_personal_snippet policy applies mostly to anonymous users, and for most of the actions, the user has to be logged.

What is the current bug behavior?

If we check for the create_personal_snippet in the user's policy we get:

> UserPolicy.new(user, user).debug(:create_personal_snippet) => #<DeclarativePolicy::Runner::State:0x00007fd5b1479260 @enabled=false, @prevented=true>

If we wanted to check this ability we would have to:

> PersonalSnippetPolicy.new(user, nil).debug(:create_personal_snippet) => #<DeclarativePolicy::Runner::State:0x00007fd58257b408 @enabled=false, @prevented=true>

Log in with a user not allowed to create personal snippets, you would be able to see the New Snippet button and also create snippets.

What is the expected correct behavior?

Buttons will be shown only when the user has the create_personal_snippet ability.

Also, move the abilities to the UserPolicy to avoid passing a nil snippet to PersonalSnippetPolicy.