This change blocks off access to the user's API Tokens resource if the

user is logging in through an API token. They instead have to log in

using their main username and password.
This prevents a vulnerability where a client using a restricted API

token that still had read access to the API Tokens resource would be

able to look up a more permissive token and use that.
There's a new 'api_token_access_allowed' flag on resources that can be

turned off to prevent token-based access.
Some work had to be done to the basic tests mixins to only perform the

API tokens test if the unit tests don't turn it off.

Unit tests pass.
I tested manually using curl with and without API tokens. I wasn't able

to access the API Tokens resource with any token.