Fix several problems with authentication and decorators in the web API.

The work with post-review has brought forth some problems with the web API.

First, the fix to @augment_method_from causes some unit test failures. We
were passing invalid parameters in the diff comments tests, which weren't
caught before because a decorator was being skipped over. This is now fixed,
both in the unit test and in the list of arguments accepted for the
resource's get_list.

Second, PERMISSION_DENIED was not sufficient for unauthenticated clients.
We now return NOT_LOGGED_IN instead when the client hasn't authenticated yet,
giving them a chance to authenticate. A subsequent call for the resource may
still return PERMISSION_DENIED, though.

Unit tests now pass, and post-review works.