Non-admin endpoints allow un-authenticated access

[akochnev]

This is a security issue in that it allows anyone to hit that API endpoint and retrieve the emails/names of the registered users. Repro steps:

1. From a command line (guaranteed not to send any additional information like a cookie or a header), call the endpoint

curl -X GET "http://localhost:8000/api/user/1/" -H "accept: application/json"

It responds with :
{"id":1,"email":"kalin.kochnev@gmail.com","first_name":"Kalin","last_name":"Kochnev","is_anon":false}

I can do this for all IDs in the system and pull out the registered emails and names

I do see a reason to provide some of this information to authenticated users (e.g. as a user browsing the site, I might want to be able to see the names or registered contact info for a specific user), but this seems like it shouldn't be available to unauthenticated users.

I observed this on a few different endpoints:

• /api/user/{userId}
• /api/district/

There are probably others as well.