refactor collection filters with django_filters

This MR aims to re-implement existing collection filters in api viewsets that are implemented in get_queryset methods with django-filter filtersets.

This has multiple advantages:

• DRF will auto-generate a filter form for the filterset fields when browsing the API with the browser, making it easier to browse & filter collections.
• Filter values can easily be validated and most are validated out-of-the-box.
• Filter documentation can be added per filter.
• django_filter is supported by drf-spectecular, which will generate a nice and tidy OpenAPI documentation for us.

program/views.py

@@ -195,26 +195,26 @@ class APIUserViewSet(
     viewsets.GenericViewSet,
 ):
     """
-    /users returns oneself. Superusers see all users. Only superusers may create a user (GET, POST)
-    /users/{pk} retrieves or updates a single user. Non-superusers may only update certain fields
-     (GET, PUT)
+    Returns a list of users.
 
-    Superusers may access and update all users.
+    Only returns the user that is currently authenticated unless the user is a superuser.
     """
 
     permission_classes = [permissions.DjangoModelPermissionsOrAnonReadOnly]
     serializer_class = UserSerializer
-    queryset = User.objects.none()
+    queryset = User.objects.all()
 
     def get_queryset(self):
-        """Constrain access to oneself except for superusers"""
-        if self.request.user.is_superuser:
-            return User.objects.all()
+        queryset = super().get_queryset()
+
+        # Constrain access to oneself except for superusers.
+        if not self.request.user.is_superuser:
+            queryset = queryset.filter(pk=self.request.user.id)
 
-        return User.objects.filter(pk=self.request.user.id)
+        return queryset
 
     def retrieve(self, request, *args, **kwargs):
-        """Returns a single user"""
+        """Returns a single user."""
         pk = get_values(self.kwargs, "pk")
 
         # Common users only see themselves
@@ -227,8 +227,9 @@ class APIUserViewSet(
 
     def create(self, request, *args, **kwargs):
         """
-        Create a User
-        Only superusers may create a user
+        Create a User.
+
+        Only superusers may create users.
         """
 
         if not request.user.is_superuser:
@@ -243,6 +244,11 @@ class APIUserViewSet(
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
     def update(self, request, *args, **kwargs):
+        """
+        Updates the user’s data.
+
+        Non-superusers may not be able to edit all of the available data.
+        """
         pk = get_values(self.kwargs, "pk")
 
         serializer = UserSerializer(data=request.data)
@@ -267,6 +273,7 @@ class APIUserViewSet(
 class APIShowViewSet(viewsets.ModelViewSet):
     """
     Returns a list of available shows.
+
     Only superusers may add and delete shows.
     """