SQLAdmin: Authorization Bypass on `ajax_lookup`

### Impact The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce. If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` endpoint — silently bypassing the restriction. **Affected endpoint:** `GET /{identity}/ajax/lookup?name=<field>&term=<query>` **All other endpoints enforce both checks:** | Endpoint | `@login_required` | `is_accessible()` | |---|---|---| | `list` | ✓ | ✓ | | `create` | ✓ | ✓ | | `edit` | ✓ | ✓ | | `delete` | ✓ | ✓ | | `details` | ✓ | ✓ | | `export` | ✓ | ✓ | | `ajax_lookup` (before fix) | ✗ | ✗ | | `ajax_lookup` (after fix) | ✓ | ✓ | Note: before this fix, `ajax_lookup` also lacked the `@login_required` decorator — unauthenticated users could query it directly. That was addressed in #1035. This report covers the remaining gap: authenticated but unauthorized users. ### Patches Two changes were made to `ajax_lookup`: 1. Replaced the hand-rolled authentication check added in #1035 with the standard `@login_required` decorator used by all other endpoints. 2. Added the missing `is_accessible(request)` check, raising `HTTP 403` when it returns `False`. ### Workarounds None. Developers relying on `is_accessible()` to restrict model visibility are exposed regardless of what other access controls are in place.