403 when a user is on a page to modify leaderboards they do not own

[awhigham9]

Currently, some of our views do not check if the user on a page to modify a leaderboard is the owner of that page. While we hide the links in our UI, this is not enough because a malicious user could simply type in the URL.

For example, if a user who does not own the leaderboard with id=19 goes to the route app/leaderboard/19/manage_partcipants the user can modify the participants of the leaderboard. Instead, we should check for this in the view like this:

leaderboard = get_object_or_404(Leaderboard, id=id)
if leaderboard.owner == request.user:
    # Do stuff
    return render(request, template)
else:
    return HttpResponseForbidden(render(request, "403.html"))

This very important to fix it because without the website is vulnerable to abuse.

[awhigham9]

Additionally we should block users who are not participants in leaderboard from seeing that page.

Eventually we could make this optional with a boolean public attribute.