1. Explicitly added OAuth2 and Session as the authentication types
allowed. Django Rest Framework allows the use of defaults via
settings, but this may have unwanted side-effects since there are
others using DRF with different APIs that have different requirements.

2. Created a ReadRestrictedDjangoModelPermissions class that is a
subclass of DjangoModelPermissions. DjangoModelPermissions only cares
about edit/update/delete permissions and makes everything world
readable by default, which is not desirable for this API.

3. Added the DRF login URLs for running this project locally.

4. Add edX fork of django-oauth2-provider to requirements.