There are now two types of global bans: IP bans and user bans:

* If logged in and trusted, POST requests will check if the user is user
  banned.
* If logged in and *not* trusted, POST requests will check if the user
  is user banned *and* IP banned.
* If not logged in, only IP bans will be checked on POST. This excludes
  /login, which is somehow magically exempt from the ban listener (which
  is exactly what we want anyway).

Additonally, many smaller fixes have been applied to vaguely ban-related
stuff. For instance, the IP ban form now uses DTOs, and the ban landing
page was moved to its own controller class in order to reduce the number
@IsGranted annotations.