BREAKING: remove users-list, create, remove id-req

- The removed API's appears unused, and we explicitly do not want to
  allow people to create users any more.
- The list endpoint was just leaking a _lot_ of data
- Id should not be required for the API. If we as superusers want to
  anonymize someone that would be better done as a django command,
  otherwise you can only access your own stuff.
- Remove IsSelfOrSuperUser as it was only used there.

apps/authentication/api/tests/user_data_tests.py

@@ -179,7 +179,7 @@ def setUp(self):
         self.other_user: User = generate_user(username="other_user")
         self.client.force_authenticate(user=self.user)
 
-        self.id_url = lambda _id: f"/api/v1/users/{str(_id)}/dump-data/"
+        self.url = reverse("users-dump-data")
 
         self.period_start = date(2017, 3, 1)
         self.period_end = self.period_start + timedelta(days=366)
@@ -192,23 +192,23 @@ def setUp(self):
         }
 
     def test_dump_data_contains_name(self):
-        response = self.client.get(self.id_url(self.user.id))
+        response = self.client.get(self.url)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(response.json().get("name"), self.user.get_full_name())
 
     def test_dump_data_contains_attendees(self):
         self.event = generate_event()
         self.attendee1 = attend_user_to_event(user=self.user, event=self.event)
 
-        response = self.client.get(self.id_url(self.user.id))
+        response = self.client.get(self.url)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(len(response.json().get("attendees")), 1)
 
     def test_dump_data_contains_companies(self):
         self.event = generate_company_event()
         attend_user_to_event(user=self.user, event=self.event)
 
-        response = self.client.get(self.id_url(self.user.id))
+        response = self.client.get(self.url)
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         self.assertEqual(
             response.json().get("attendees")[0].get("companies"),

apps/authentication/api/views.py

@@ -1,5 +1,7 @@
+from django.conf import settings
 from django.contrib.auth.models import Group, Permission
 from django.core.signing import Signer
+from django.urls import reverse
 from rest_framework import mixins, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.permissions import AllowAny, IsAuthenticated
@@ -28,16 +30,13 @@
 from apps.permissions.drf_permissions import DjangoObjectPermissionOrAnonReadOnly
 
 from .filters import OnlineGroupFilter, UserFilter
-from .permissions import IsSelfOrSuperUser
 from .serializers.user_data import UserDataSerializer
 
 
 class UserViewSet(
     MultiSerializerMixin,
     viewsets.GenericViewSet,
-    mixins.ListModelMixin,
     mixins.RetrieveModelMixin,
-    mixins.CreateModelMixin,
     mixins.UpdateModelMixin,
 ):
     """
@@ -47,7 +46,7 @@ class UserViewSet(
     def get_serializer_class(self):
         return self.serializer_classes.get(self.action, UserReadOnlySerializer)
 
-    permission_classes = (IsSelfOrSuperUser,)
+    permission_classes = (IsAuthenticated,)
     filterset_class = UserFilter
     queryset = User.objects.all()
     serializer_classes = {
@@ -59,41 +58,42 @@ def get_serializer_class(self):
     }
 
     # See templates/events/index.html. This is exposing this logic in the api.
-    @action(detail=True, methods=["get"], url_path="personalized_calendar_link")
-    def personalized_calendar_link(self, request, pk=None):
-        user: User = self.get_object()
-        username = user.username
+    @action(detail=False, methods=["get"])
+    def personalized_calendar_link(self, request):
+        username = request.user.username
         signer = Signer()
         signed_value = signer.sign(username)
 
-        link = f"http://old.online.ntnu.no/events/user/{signed_value}.ics"
+        link = settings.BASE_URL + reverse(
+            "events_personal_ics", kwargs={"user": signed_value}
+        )
         return Response(data={"link": link}, status=status.HTTP_200_OK)
 
-    @action(detail=True, methods=["put"])
-    def anonymize_user(self, request, pk=None):
-        user: User = self.get_object()
+    @action(detail=False, methods=["put"])
+    def anonymize_user(self, request):
+        user: User = request.user
         serializer = self.get_serializer(user, data=request.data)
         serializer.is_valid(raise_exception=True)
         serializer.save()
 
         return Response(data=None, status=status.HTTP_204_NO_CONTENT)
 
-    @action(detail=True, methods=["get"], url_path="dump-data")
-    def dump_data(self, request, pk: int):
-        user: User = self.get_object()
+    @action(detail=False, methods=["get"], url_path="dump-data")
+    def dump_data(self, request):
+        user = request.user
         serializer = self.get_serializer(user)
 
         return Response(data=serializer.data, status=status.HTTP_200_OK)
 
-    @action(detail=True, methods=["get"], url_path="permissions")
-    def user_permissions(self, request, pk):
+    @action(detail=False, methods=["get"], url_path="permissions")
+    def user_permissions(self, request):
         """
         Returns all permissions for a given user.
         Codename is "action_object", e.g. "delete_profile".
         Content_type is ID of object type.
         If you want to group permissions, you can group on object type and map the ID to the object from the codename string.
         """
-        user = self.get_object()
+        user = request.user
         if user.is_superuser:
             permissions = Permission.objects.all().order_by("content_type")
         else: