The backend code in `h.streamer` assumes that the arguments to "one_of"
are either a non-empty list or a single value. Passing an empty list
causes the generation of a bogus query.

So, don't update the stream filter until we have at least one URI to
stream from.

Fixes #2257.

Update to the latest packaging changes of the anchoring helper modules
that now specify a browser field and browserify transforms in their
package.json files. This bypasses the UMD wrapper of these modules,
saving bytes and avoiding the need to wrap them with browserify-shim.

Even when used as a CommonJS module, angular installs itself globally.
Rather than fight this in our tests, just leverage it. The mocks module
also installs itself under angular.mock. Therefore, none of the require
statements for angular or angular-mocks are necessary.

It turns out we don't need Sinon-Chai because we only use the assert
interface. According to the Sinon-Chai docs:

    For assert interface there is no need for this library.

Instead, we just install the assertions into the assert object.

There's no reason to have these methods have a different name in the
guest as the host. The implementation should be opaque.

Reload annotations on auth change

Just because the user has permission to read an annotation does not
imply that it should still be visible under the current search after
the authentication change. An example of this is when a NIPSA flagged
user logs out but has public annotations visible.

Two front-end fixes

- Collapsed threads don't show tags
- Collapsed threads should have space between user and reply count
- "Sign in required" card should have symmetric vertical margins

Consolidate and style the admin interface

While the URL object stringifies nicely, meaning this does work,
it is liable to confuse request interceptors that expect a string.

This commit brings together "administrator" views into one place -- the
Hypothesis admin console, found at /admin.

So far, the only to admin views we have are for flagging/unflagging
users as NIPSA, and for administering administrative user status. In the
near future, we may also have a feature flag console in here.

- I've moved all the admin views into `h.admin` so that we don't
  confused business logic view functions with administrative view
  functions, and so that in future it is easier to treat the `/admin`
  tree as a single entity for the purposes of permissions, etc.
- I've added an "admin" page layout, which uses Twitter Bootstrap for
  basic styling.
- I've rejigged both the NIPSA and the administrator users pages to make
  use of bootstrap.

Update Firefox extension for Jetpack Manager tool

Simpler session service

Rather than using a separate named value to keep track of the current
CSRF token, simply treat this as part of the session state.

This commit does three things. In order of importance:

- wraps the ngResource for managing session state in a service, which
  allows us to expose current session state as `session.state` on that
  instance. This means that components of the application that don't
  want to alter or explicitly fetch session state, but wish to display
  some part of it (such as the current authenticated userid, etc.) can
  do so more easily.
- moves configuration of the session resources into the session service
  rather than requiring configuration from outside via a
  sessionProvider.
- translates the session service to JavaScript from CoffeeScript.

Fix infinite digest cycle caused by feature flag client

This was a fun bug. If multiple feature checks are done in rapid
succession when the features cache is empty (such as, for example,
during the first digest cycle at application boot time) then the
features client would keep kicking off HTTP requests until the first one
returned.

This would clearly be a misfeature, but wouldn't actually have caused
any problems but for the fact that the spinner in
`h/directives/simple-search.coffee` does this to determine whether to
spin:

    scope.$watch (-> $http.pendingRequests.length), (pending) ->
      scope.loading = (pending > 0)

This means that kicking off dozens of requests at a time keeps
invalidating the digest cycle (because the value of
`$http.pendingRequests.length` keeps changing), so it never ends. The
result is the ever-horrible `infdig` (infinite digest cycle) error from
Angular: https://docs.angularjs.org/error/$rootScope/infdig.

The angular $httpBackend mocking service supports two primary means of
usage:

   .expect(...).respond(...)

and

   .when(...).respond(...)

The latter pattern allows a single handler to respond to multiple
requests, in any order. The latter is precise -- one .expect() must be
matched by one request, in the correct order.

This commit changes the tests for the "features" service to use this
more precise form of testing.

PDF usages might want to specify relative URLs to get around proxy
restrictions with a custom viewer. Even link tags support relative
URLs for rel=canonical though it's probably a bad idea as a publisher.
In any case, we should clearly just do this.

Make Makefile more dumb

Add support for flagging user accounts as "not in public site areas"

Getting picky with our code styles

Added use strict.
Removed unused `attrs` var;

Docs URL line length is a bit too long...

The single it() in this test module was not being run (it was indented
inside a beforeEach()) and dedenting it reveals that the beforeEach() is
actually crashing anyway (controller somehow not registering with the
$controller service, looks like).

Rewrite the module to work and be clearer.

Stop two sources of dangling transactions