Report API Quirks

[zcrt]

Describe the bug
The report API as introduced in #3746 behaves unexpectedly in some cases:

1. GET scheduled aggregate report returns:

{
                "id": "74def394-2217-4af4-b50a-7c256b488f0c",
                "report_name_format": "Maandelijks ${report_type} voor ${oois_count} objecten",
                "subreport_name_format": "",
                "input_recipe": {
                    "query": {
                        "search_string": "",
                        "asc_desc": "desc",
                        "ooi_types": [
                            "IPAddressV6",
                            "IPAddressV4",
                            "Hostname"
                        ],
                        "order_by": "object_type",
                        "scan_level": [
                            1,
                            2,
                            3,
                            4
                        ],
                        "scan_type": [
                            "declared"
                        ]
                    }
                },
                "report_types": [
                    "ipv6-report",
                    "mail-report",
                    "name-server-report",
                    "open-ports-report",
                    "rpki-report",
                    "safe-connections-report",
                    "systems-report",
                    "vulnerability-report",
                    "web-system-report"
                ],
                "cron_expression": "48 10 5 * *"
}

When using that recipe as a POST in another organisation KAT returns:

{"type":"validation_error","errors":[{"code":"blank","detail":"This field may not be blank.","attr":"subreport_name_format"}]}

2. When trying the above with something filled in the subreport_name_format (e.g. "Aggregate Organisation Report") the organisations posted to instead create a "Concatenated report" with a different Scheduled for time.
3. When doing 2) again a new "Concatenated report" is created, even though the id given in the POST is the same as POST-ed before.
4. When attempting to access the API endpoints in the browser when logged in KAT throws an AssertionError.

To Reproduce
Steps to reproduce the behavior:

1. Create a scheduled aggregate report
2. GET it
3. POST it
4. Try accessing through the browser when logged in.

Expected behavior
What I am looking for is something like /clone_katalogus_settings/ but instead for reports. This should be doable by GET-ing and POST-ing instead but the above quirks make it difficult.

Screenshots
1,2,3)

4. 

OpenKAT version
main - 4/5 dec.