Secure read access to /users endpoint.

- auth field is never returned
- unauthenticated access is rejected
- non-admin users can only access themselves

tests/common_test_class.py

@@ -105,6 +105,8 @@ class AbstractPillarTest(TestMinimal):
             return found['_id'], found
 
     def create_user(self, user_id='cafef00dc379cf10c4aaceaf', roles=('subscriber', )):
+        from application.utils.authentication import make_unique_username
+
         with self.app.test_request_context():
             users = self.app.data.driver.db['users']
             assert isinstance(users, pymongo.collection.Collection)
@@ -113,7 +115,7 @@ class AbstractPillarTest(TestMinimal):
                 '_id': ObjectId(user_id),
                 '_updated': datetime.datetime(2016, 4, 15, 13, 15, 11, tzinfo=tz_util.utc),
                 '_created': datetime.datetime(2016, 4, 15, 13, 15, 11, tzinfo=tz_util.utc),
-                'username': 'tester',
+                'username': make_unique_username('tester'),
                 'groups': [],
                 'roles': list(roles),
                 'settings': {'email_communications': 1},