Respect authorizations on releases

Summary

Right now, to check if the releases for a project should be exposed, we only check if the project is public. But as @tkuah explained, it turns that even when a project is public, its subresources can still be private. We thus need to check the readability of the resource for the guest user.

This also means we should probably add back nullifying current_user in ActivityPub::ApplicationController like we initially did, to make it easier to use #can? without having to think each time to pass nil rather than current_user (we don't want to allow access to private resources through ActivityPub, even if the request somehow contains valid session cookies).

Steps to reproduce

1. Make sure the flightjs/Flight project is public
2. Create a few releases for it
3. Configure releases to be private
4. Run curl -H 'Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"' "http://127.0.0.1:3000/flightjs/Flight/-/releases/outbox"
5. You see the private releases, but you should not.