Dedicated error page for permission errors

Prior to this change permission errors (i.e. the user is logged in but does not have a required group) were reported with flash('Access denied') and a redirect to the selfservice index page. This causes two problems: The error is reported with HTTP status 301/200 which is difficult to check for in tests. This can also cause redirect loops as soon as the selfservice uses more differentiated permission checks (see #104 (closed)).

With this change a dedicated error page is displayed in place the requested page and the HTTP status 403 is returned. This is implemented with flask's errorhandler concept for 403.