fix: don’t limit the user queryset if the method is safe or the requesting is superuser

Closes #177

program/views.py

@@ -265,12 +265,12 @@ class APIUserViewSet(
     search_fields = ["username", "first_name", "last_name", "email"]
 
     def get_queryset(self):
-        """The queryset contains all the users if the requesting user is a superuser, otherwise it
-        only contains the requesting user."""
+        """The queryset contains all the users if the method is safe or requesting user is a
+        superuser, otherwise it only contains the requesting user."""
 
         user = self.request.user
 
-        if user.is_superuser:
+        if self.request.method in permissions.SAFE_METHODS or user.is_superuser:
             return User.objects.all()
         else:
             return User.objects.filter(pk=user.id)
@@ -306,7 +306,7 @@ class APIImageViewSet(viewsets.ModelViewSet):
     pagination_class = LimitOffsetPagination
 
     def get_queryset(self):
-        """The queryset contains all the images if the method is safe, otherwise it only includes
+        """The queryset contains all the images if the method is safe, otherwise it only contains
         the images owned by the requesting user."""
 
         if self.request.method in permissions.SAFE_METHODS:
@@ -715,9 +715,8 @@ class APINoteViewSet(
     serializer_class = NoteSerializer
 
     def get_queryset(self):
-        """The queryset contains all the notes if the method is safe or the requesting user is
-        member of the privileged group, otherwise it only includes the notes for show owned by the
-        requesting user."""
+        """The queryset contains all the notes if the method is safe or the requesting user is a
+        superuser, otherwise it only contains the notes for shows owned by the requesting user."""
 
         user = self.request.user