implement django-guardian for DRF API responses

[hburgund]

Currently, django-guardian is implemented for the built-in Django admin. Since Roundware is project-based, we only have object-level permissions applied to the project model and those essentially pass through to all other models via the project_id foreign key.

This works nicely, but we now need Guardian's object-level permissions to apply to the API responses generated by Django REST Framework (DRF) (api/2/) for a new admin system. We need to be able to assign object-level permissions to users on the project model and have those filter the returned results by project.

There is a Django app django-rest-framework-guardian that is supposed to extend Guardian functionality to DRF: https://github.com/rpkilby/django-rest-framework-guardian

Roundware APIV2 docs: https://roundware.org/api/

roundware-admin is the new admin system we are developing (for reference to the use-case): https://github.com/roundware/roundware-admin/

Other Useful Documentation

http://www.django-rest-framework.org/api-guide/permissions/#djangoobjectpermissions
http://www.django-rest-framework.org/api-guide/filtering/#filtering-against-the-current-user
http://www.django-rest-framework.org/api-guide/filtering/#djangoobjectpermissionsfilter
http://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#associating-snippets-with-users