Check user access before setting default project

Using crafted query parameters, it was possible to call set_project.php
with a project_id that the user does not have access to, resulting in
an invalid default project stored in the user's preferences.

This caused an ERR_TOO_MANY_REDIRECTS error when accessing
bug_report_page.php while the current project is ALL_PROJECTS.

We now check that the user has access to the project before setting it
as default, and throw an access denied if not.

Fixes 0036503