Add read-only mode to REST API

[dajtxx]

We need a mode where external actors can read data from the REST API but not create/update/delete anything.

The simplest way might be to add a read-only flag to the user table and if that flag is set only allow GET methods to be used.

This is not as flexible as a role-based system with permissions, but will be sufficient for now.

[bsefton12]

Changes have been merged into master.