Make the `permission_callback` argument required

[johnbillion]

Reference: https://core.trac.wordpress.org/ticket/50075 plus its comments. Observe that this design deficiency directly led to security vulnerabilities in at least three very popular plugins.

The tl;dr is that it was a mistake for the permission_callback argument to not be required when registering a REST API endpoint, for a few reasons:

• It makes it easy for a developer to overlook permissions as they aren't required to explicitly implement a permissions check
• It makes it easy for a typo in the property name to go unnoticed (arguably more of a schema validation problem, but still)

The same concerns apply to the permission_callback argument when registering an ability. This argument should be made mandatory and registration of an ability should fail hard when not present.

[gziolo]

Good callout. It will still be relatively simple to pass __return_true if folks want to make the ability generally available. At the same time, as pointed out, this is going to be an explicit developer's decision 👍🏻

[justlevine]

Handled in #73 and awaiting review.