API and CSV fixes

[rtibbles]

Summary

• Updates auth API permissions to restrict access for non-admins
• Updates ValuesViewset to restore default filtering behaviour when doing object detail queries
• Filters both detail and list endpoints in permissions filter
• Adds sanitization to CSV writing

---

Testing checklist

• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Critical and brittle code paths are covered by unit tests

PR process

• PR has the correct target branch and milestone
• PR has 'needs review' or 'work-in-progress' label
• If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
• If this is an important user-facing change, PR or related issue has a 'changelog' label
• If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[radinamatic]

• EXE asset installed on Windows 10 ✔️
• imported a CSV with 70 users ✔️
• 2 new classes created, learners enrolled, coaches assigned ✔️
• class deleted ✔️
• 3 groups created, learners searched for and assigned ✔️
• group deleted ✔️
• details added to 2 users ✔️
• CSV exported and checked to confirm all the changes ✔️

No sign of UI issues and/or errors in the console, good to go! 👍🏽

[radinamatic]

Manual QA is looking good, !

[jredrejo]

lThere's one point I don't quite understand so it would be great if you can comment it.
For the most part, loving these changes

[rtibbles]

Have addressed all comments - as long as tests pass, this should be good to merge.