Don't return members to the users who doesn't have permission to read them.

[maxceem]

Follow up from #483 (comment)

At the moment we use M2M token to read members using GET /project/{id}/members endpoints. And we control WHO can read members using permission READ_PROJECT_MEMBER.

But we also return members in GET /projects and GET /projects/{id} endpoints.

To keep it consistent we should only return members with project object in these project endpoints if user has permission READ_PROJECT_MEMBER.

We should implement unit tests in each endpoint GET /projects and GET /projects/{id} to verify that members are not returned when we are making request using M2M token with read:projects scope, but without read:project-members scope.