Base test class for event permission testing where we create
events which are available to internal and LV-EM users. Also added
a utility mixin for exposing event logs to LV-EM, since
unfortunately, it's handled differently than for superevents for
the time being.

For the base test class which creates an LV-EM user and the
LV-EM observers group, we now also create the basic LV-EM group
and add the user to it as well.

URLs for editing contacts and notifications were defined, but the
view functions just returned 404 responses.  So what's the point
in having them at all?

A weird web view for processing GET (!) parameters and running
buildVOEvent exists in the events app.  I can't believe this is
still ever used and it should not be used in favor of the API.
So I am removing it!

Add django-user-sessions package for more easily managing sessions
and correlating them with user accounts.

Add/update tests of all web views in the superevents app for
public/unauthenticated access

Add/update tests of unauthenticated access to search web views

Now show 'Login' button if user is not authenticated.

Adding/updating tests of unauthenticated access to the
superevents API.

We now have a single API endpoint, /api/, which can handle all
authentication methods directed to it.  The /apibasic/ and
/apiweb/ URLs will probably be maintained for legacy reasons,
but will not include any additional logic (they will just be
carbon-copies of /api/ under a different namespace).

Some of the "main" API views now use the default permissions
as defined in the settings, rather than individually set
permissions.

Added a viewset mixin which causes the viewset to inherit the default
permissions defined for the API in the settings file, rather than
overwriting them if any permission classes are specified in the
class definition.

This helps to allow global control of unauthenticated access with
a single settings variable (see previous commit).

We use a few redirects to handle login and extraction of the
shibboleth attributes in a post-login page.

Can be used to restrict access to a view to only the groups
whose names are passed as arguments to the decorator.

Complete rework of authentication middleware and backends for
both the web view and the API. There is now a single URL (after
the login page) where the shibboleth attributes are put into
the session and the user is authenticated and a persistent
Django session is created.

Utility function for determining whether a request is directed at the
API.  Can specify that the check is for a certain API "type", like
shibboleth, X509, or basic.

Event file list web view was incorrectly showing the symlinked
version of a file to external users, even when they didn't have
permission to view that version of the file.