Discovered that AJAX requests to the API from the web view were
using certificates in people's browsers even if they were logged
out of the Django session.  So when they wanted to view the page
as a public user they still saw some extra information.

No security risk since they needed to have a valid certificate
anyway, but a bit annoying.