app controller: replace calls to access_denied with PrivilegeError.

Standardize controllers to raise User::PrivilegeError instead of calling
`access_denied` directly.

test/functional/comments_controller_test.rb

@@ -23,7 +23,7 @@ class CommentsControllerTest < ActionDispatch::IntegrationTest
 
     context "index action" do
       should "render for post" do
-        get comments_path(post_id: @post.id, group_by: "post", format: "js")
+        get comments_path(post_id: @post.id, group_by: "post", format: "js"), xhr: true
         assert_response :success
       end