Improve error when flagging when logged out

Don't show duplicate toastr messages at once

Improve the error message that's shown to the user when trying to flag
an annotation while logged out.

Instead of showing a "404 Not Found. Either the resource you requested
doesn't exist, or you are not currently authorized to see it." error
from the server, show a friendlier "You must be logged in to report an
annotation" message.

This is done client-side by checking whether the user is logged in when
they click the flag button, and if not showing an error instead of
sending the flag request to the API. This is because the API doesn't
respond with a unique "You must be logged in to flag" error that the
client could depend on, it just returns a 404, which could be for a
number of reasons (e.g. the annotation no longer exists).

Use `this` or `self` to refer to the controller instance in annotations

I've attempted to make the comment explaining that all initialization
code except for assigning bound methods goes in `init()` more succinct.

Make `sidebar/components/annotation` consistent with other code by using
`this` or `self` to refer to the controller instance instead of `vm`.

 * Replace `vm` with `this` or `self` (in nested functions)

 * Remove ESLint exception at the top of the file

 * Remove unused `$q` import

Exclude vendor code from coverage metrics

Do not show highlight indicator for censored annotations

Do not display moderation banner unless moderation metadata is present

Initialize `target` field for new replies

Annotations must have a `target` field and those returned by the server
always do. For compatibility reasons the server allows clients to submit
new annotations which provide the data in the `url` field instead.

This field was omitted when creating new replies in the client and this
broke an assumption in the `quote()` function.

The logic for creating the reply and extracting the quote is in the
wrong place, but I've left it here for the moment to keep the diff
minimal.

Fix exception when rendering a thread if the thread item has no
annotation. This happens if the thread item was created for an
annotation whose prior existence was inferred by a reply but no longer
exists.

Exclude vendored third-party code, including Annotator.js, from code
coverage metrics.

For annotations that have been saved we decide whether it is a highlight
based on whether it has a) selectors and b) content (tags or text). For
a censored/hidden annotation a non-moderator cannot tell whether it has
content.

Assume that censored annotations have content and are therefore not
highlights.

Annotations which are hidden may still be returned to non-moderators
with the `hidden` flag set, if they have replies. In this case the
moderation banner should not be shown.

Render "censored text" for hidden annotations

Fix variance in annotation share dialog test coverage

Rewrite and simplify the permissions service

Display a column of horizontal stripes to give the impression of
censored text for hidden annotations if the annotation's content has
been removed by the service.

Implements mock at https://github.com/hypothesis/product-backlog/issues/231#issuecomment-295600762

Remove a broken unit test

Git push to hardcoded https URL and master branch

As noted in this comment:

https://github.com/hypothesis/client/pull/356#discussion_r111998459

this test doesn't actually test what it says it does, and fixing the
test would require some refactoring of the code under test. For now,
just delete the test.

Change the `git push` command that the `npm version minor` command runs
when doing a client release to:

1. Hardcode the https URL of the client repo, instead of assuming the
   user's `origin` is set to it

2. Push only the user's master branch to the remote master branch
   (instead of potentially pushing other local branches as well)

Use the new `/api/links` resource

There's no unit test for this. Because of Promises, it cannot be tested
without refactoring serviceUrl.

Change serviceUrl to return URLs by expanding URL templates received
from h's /api/links resource, rather than using hardcoded URL templates
as it previously did.

The interface and contract that serviceUrl presents to its users remains
the same - the fact it's now sending an API request to get the URL
templates, and waiting for the response, is completely hidden from its
users.

This hiding is achieved by two tricks:

1. Always returning "" for an expanded URL if the API response hasn't
   been received yet, rather than, for example, changing the interface
   to return Promises instead of strings (which would then require
   changes to every user of the interface, and possibly their users...)

2. Updating annotationUI, the Redux state store, with the new URL
   templates when the API response is received. This causes any
   AngularJS components that might have used an (empty string) URL to be
   re-rendered, they will call sericeUrl URL again and this time get the
   actual URLs.

   This is completely transparent to the components - annotationUI
   causes AngularJS to call them again and this time they will get a
   different result from serviceUrl. The code of the components
   themselves doesn't need to change.

Additionally, serviceUrl will never throw errors if it hasn't received
the API response yet. For example there is no error if an unknown link
name is requested, or if unused template params are given. It just
always returns "". Once it _does_ have the API response then it will
start throwing errors for bad requests, the same as it did previously.

Add a new function to `store`, the https://hypothes.is/api wrapper,
that provides access to the new https://hypothes.is/api/links resource.

Add a Redux reducer for storing the links (URL templates) from the
/api/links HTTP resource in the state store.

This adds a missing test for the behavior and also fixes variance in
test coverage between runs because the code that implements this
behavior sometimes ran and sometimes did not.

Instead of adding event listeners to the document to track clicks
outside the share dialog, use a transparent backdrop element behind the
share dialog which covers the whole page.

This avoids the need to register/unregister document-level event
handlers in the controller, removing some code which was untested.

Refactor the annotation share dialog's controller for consistency with
other components:

 - Move controller to a top-level function in the file

 - Capture `this` as `self` rather than using `bind`

 - Attach `onShareClick` to controller rather than `$scope`