Implement OAuth2 provider (#927)

- [x] Application management
  - [x] Link
  - [ ] Tests
- [x] Authorize flow
  - [x] Tests
- [x] Refresh token handling
  - [x] Tests
- [x] Revocation endpoint
  - [x] Tests
  - [x] Mitigate: https://github.com/jazzband/django-oauth-toolkit/issues/585
- [x] API authenticator / permission driver
  - [x] Test
- [x] Enforce organizer restriction
  - [x] Tests
- [x] Enforce scope restriction
  - [x] Tests
- [x] Show current applications to user
  - [x] Revoke
  - [x] Tests
- [x] Log new authorizations
  - [x] notify user
- [x] Ensure other grant types are not available
- [x] Documentation
- [x] check if revoking access toking, then refreshing gets rid of organizer constraint
- [x] Show logentry foo

src/pretix/api/views/organizer.py

@@ -1,5 +1,6 @@
 from rest_framework import viewsets
 
+from pretix.api.models import OAuthAccessToken
 from pretix.api.serializers.organizer import OrganizerSerializer
 from pretix.base.models import Organizer
 
@@ -14,6 +15,12 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
         if self.request.user.is_authenticated():
             if self.request.user.has_active_staff_session(self.request.session.session_key):
                 return Organizer.objects.all()
+            elif isinstance(self.request.auth, OAuthAccessToken):
+                return Organizer.objects.filter(
+                    pk__in=self.request.user.teams.values_list('organizer', flat=True)
+                ).filter(
+                    pk__in=self.request.auth.organizers.values_list('pk', flat=True)
+                )
             else:
                 return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
         else: