Adding/updating tests of unauthenticated access to the
superevents API.

We now have a single API endpoint, /api/, which can handle all
authentication methods directed to it.  The /apibasic/ and
/apiweb/ URLs will probably be maintained for legacy reasons,
but will not include any additional logic (they will just be
carbon-copies of /api/ under a different namespace).

Some of the "main" API views now use the default permissions
as defined in the settings, rather than individually set
permissions.

Added a viewset mixin which causes the viewset to inherit the default
permissions defined for the API in the settings file, rather than
overwriting them if any permission classes are specified in the
class definition.

This helps to allow global control of unauthenticated access with
a single settings variable (see previous commit).

We use a few redirects to handle login and extraction of the
shibboleth attributes in a post-login page.

Can be used to restrict access to a view to only the groups
whose names are passed as arguments to the decorator.

Complete rework of authentication middleware and backends for
both the web view and the API. There is now a single URL (after
the login page) where the shibboleth attributes are put into
the session and the user is authenticated and a persistent
Django session is created.

Utility function for determining whether a request is directed at the
API.  Can specify that the check is for a certain API "type", like
shibboleth, X509, or basic.

Event file list web view was incorrectly showing the symlinked
version of a file to external users, even when they didn't have
permission to view that version of the file.

We now use ValidateDestroyMixin rather than SafeDeleteMixin for
handling removal of events from a superevent.  Some additional
logic in other places was no longer needed.

Some of the search utilities were still in the separate
events and superevents apps, so we moved them to the search app
and tried to clean things up a bit.  It's still kind of a mess
and probably not worth doing a full cleanup until we rework
the search.

Allow queries on whether a superevent is publicly available or
not. Add documentation to the query help page.

Queries which directly include a superevent ID should not have the
default category restrictions (not Test & not MDC) applied since
the category is determined by the superevent ID prefix.

Create new CustomDecimalField for handling float inputs better
than they are handled in rest_framework.fields.DecimalField.

No need to have explicit view functions for a few basic views,
we just use the built-in TemplateView instead.

Some X509 certificate subjects which were obtained from the LIGO
LDAP were being truncated upon insertion into the database since
they were longer than the upper limit imposed here of 200 characters.
I asked the LIGO auth team for guidance as to whether there is any
kind of upper limit imposed at that level, but did not receive any
feedback.  So I am increasing it to 300 characters here and hoping
that is enough that we will never have to revisit this issue.  It will
also be necessary to clean up any certificates in the database which
are truncated.

Robot user group memberships are entirely managed within GraceDB and
should not be added/removed based on request header content.