When a user is not authorized to see the list of hooks for a project, he is
still able to access the hooks separately. For example if access to
`GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is
still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`.

Fixes access, also added tests to check access and status codes of hooks.