Add django-user-sessions package for more easily managing sessions
and correlating them with user accounts.

Add/update tests of all web views in the superevents app for
public/unauthenticated access

Add/update tests of unauthenticated access to search web views

Now show 'Login' button if user is not authenticated.

Adding/updating tests of unauthenticated access to the
superevents API.

We now have a single API endpoint, /api/, which can handle all
authentication methods directed to it.  The /apibasic/ and
/apiweb/ URLs will probably be maintained for legacy reasons,
but will not include any additional logic (they will just be
carbon-copies of /api/ under a different namespace).

Some of the "main" API views now use the default permissions
as defined in the settings, rather than individually set
permissions.

Added a viewset mixin which causes the viewset to inherit the default
permissions defined for the API in the settings file, rather than
overwriting them if any permission classes are specified in the
class definition.

This helps to allow global control of unauthenticated access with
a single settings variable (see previous commit).

We use a few redirects to handle login and extraction of the
shibboleth attributes in a post-login page.

Can be used to restrict access to a view to only the groups
whose names are passed as arguments to the decorator.

Complete rework of authentication middleware and backends for
both the web view and the API. There is now a single URL (after
the login page) where the shibboleth attributes are put into
the session and the user is authenticated and a persistent
Django session is created.

Utility function for determining whether a request is directed at the
API.  Can specify that the check is for a certain API "type", like
shibboleth, X509, or basic.

Event file list web view was incorrectly showing the symlinked
version of a file to external users, even when they didn't have
permission to view that version of the file.

We now use ValidateDestroyMixin rather than SafeDeleteMixin for
handling removal of events from a superevent.  Some additional
logic in other places was no longer needed.

Some of the search utilities were still in the separate
events and superevents apps, so we moved them to the search app
and tried to clean things up a bit.  It's still kind of a mess
and probably not worth doing a full cleanup until we rework
the search.

Allow queries on whether a superevent is publicly available or
not. Add documentation to the query help page.

Queries which directly include a superevent ID should not have the
default category restrictions (not Test & not MDC) applied since
the category is determined by the superevent ID prefix.

Create new CustomDecimalField for handling float inputs better
than they are handled in rest_framework.fields.DecimalField.