Authorized/Unauthorized is inconsistent in data object and session

[samuraisam]

This needs to be reviewed. It mostly all works, but the API needs to be made consistent with regards to authorized/unauthorized

Instances:

• SBSession.objectDecorator assumes everything is authenticated. should populate from the session