Only allow endorsement for categories that the user has access to (PR #27)

Right now any user can be endorsed for any category that is accepting endorsements. This was nice because it didn’t require an extra call to the server, but of course cannot stand. This adds a new route that return categories that are accepting endorsements and both the logged in user, and endorsee have access to the category.


Could you use requires_login only: ... here and current_user instead of @user below?

I could do the first part, but the @user is not the current user, its the user to be endorsed.