LP#1424755: Org Unit Setting view permissions can be bypassed

LP#1424755: Org Unit Setting view permissions can be bypassed

Fix private org. unit setting leakage by forcing the $auth argument
to true if not passed in when open-ils.actor.ou_setting.ancestor_default
or open-ils.actor.ou_setting.ancestor_default.batch are called.

Other than a change to the desc of the public methods to reflect that
they now check permissions if permissions are required, there are no
required api changes to the back or the front ends.

Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Ben Shum <bshum@biblio.org>