Fix ACL on Group.get API
ACL filtering was done after results were retrieved from the database, which in the majority of cases would lead to incorrect results being returned.
Consider the following scenario. 100 groups exist in the DB. A user has access to the 100th group.
Group.get will return 'the first' 25 groups, filter them all, and return that no groups are available.
Aside from this being a problem in itself, it also causes paged API calls (e.g. the API call that populates the CiviMail recipients list of groups) to fail as they assume that there are no more records to return.
If check permissions is checked and we do not have view all contacts, we add an extra where clause to
_civicrm_api3_basic_get, ensuring that only visible groups are returned.