fix: remove superfluous retrieve/update actions for APIUserViewSet

The retrieve and update actions can be removed because the get_queryset
method already ensures that the user has only access to their own user
object (or all user objects in case of superusers).

Sending 401 responses for unauthorized requests may also be considered
leaky, because it exposes that these objects exist instead of returning
a 404 that simply states that no object with that primary key can be
found.

program/views.py

@@ -193,6 +193,7 @@ def json_playout(request):
 
 
 class APIUserViewSet(
+    DisabledObjectPermissionCheckMixin,
     mixins.CreateModelMixin,
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -218,18 +219,6 @@ class APIUserViewSet(
 
         return queryset
 
-    def retrieve(self, request, *args, **kwargs):
-        """Returns a single user."""
-        pk = get_values(self.kwargs, "pk")
-
-        # Common users only see themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(status=status.HTTP_401_UNAUTHORIZED)
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(user)
-        return Response(serializer.data)
-
     def create(self, request, *args, **kwargs):
         """
         Create a User.
@@ -248,32 +237,6 @@ class APIUserViewSet(
 
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
-    def update(self, request, *args, **kwargs):
-        """
-        Updates the user’s data.
-
-        Non-superusers may not be able to edit all of the available data.
-        """
-        pk = get_values(self.kwargs, "pk")
-
-        serializer = UserSerializer(data=request.data)
-        # Common users may only edit themselves
-        if not request.user.is_superuser and pk != request.user.id:
-            return Response(
-                serializer.initial_data, status=status.HTTP_401_UNAUTHORIZED
-            )
-
-        user = get_object_or_404(User, pk=pk)
-        serializer = UserSerializer(
-            user, data=request.data, context={"user": request.user}
-        )
-
-        if serializer.is_valid():
-            serializer.save()
-            return Response(serializer.data)
-
-        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
 
 class APIShowViewSet(DisabledObjectPermissionCheckMixin, viewsets.ModelViewSet):
     """