Role access proxies should support custom methods

[jace]

To accommodate the expectations of GraphQL in #100, we're currently moving all business logic into methods on the model itself, removing them from views. This leaves a gap in the layers for forms, since there is no explicit link between a form and a model. Here's a workaround:

1. RoleMixin declares an attribute proxy_class = RoleAccessProxy
2. A subclass of RoleAccessProxy (hosted in the view or forms layer of an app) can provide additional methods as needed. It can registered against the model using Model.proxy_class = ModelProxy. Calling obj.current_access() will now return an instance of this proxy class.
3. The subclass can provide validates_<attr> methods. RoleAccessProxy.__setattr__ will look for this method and call it if present, before mutating the main object. This is similar to how WTForms.Form does field validation.
4. Care must be taken in the proxy to not write to self, since all writes are passed through to the main object.

The link between proxy and form is still unclear since this version of the proxy replaces the write functionality of the form, but only doing per-field validation (unlike the form's validate method which can check for cross-field data sanity).

[jace]

If the model must declare its proxy subclass, why can't those methods be contained in the model itself? There's no clear justification for yet another layer.