Routing specs and controller specs don't set warden on the request
environment. While we could try to re-implement Warden/Devise logic
here, it's much easier to not rely on the environment to be set.
While I'm usually opposed to changing production code to make testing
easier, it does avoid a lot of complication in this case. And maybe it
would be handy in other circumstances to have a more defensive approach
to checking the logged in user.
