<role>_only: fix role checking logic to check ip bans last.

Make <role>_only methods check the role first and ip bans last. This
avoids hitting the database for anonymous users, since they'll always
fail the is_<role>? check before the ip check.

app/controllers/application_controller.rb

@@ -184,11 +184,8 @@ class ApplicationController < ActionController::Base
 
   User::Roles.each do |role|
     define_method("#{role}_only") do
-      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{role}?")
-        true
-      else
-        access_denied()
-        false
+      if !CurrentUser.user.send("is_#{role}?") || CurrentUser.user.is_banned? || IpBan.is_banned?(CurrentUser.ip_addr)
+        access_denied
       end
     end
   end

app/models/user.rb

@@ -113,10 +113,6 @@ class User < ApplicationRecord
   accepts_nested_attributes_for :dmail_filter
 
   module BanMethods
-    def is_banned_or_ip_banned?
-      return is_banned? || IpBan.is_banned?(CurrentUser.ip_addr)
-    end
-
     def validate_ip_addr_is_not_banned
       if IpBan.is_banned?(CurrentUser.ip_addr)
         self.errors[:base] << "IP address is banned"