Serrano

**Features**
- Add public queries endpoint `/api/queries/public/`
- Add support _forking_ shared queries
- Add `ApiToken` model for creating user-associated tokens for authenticated API access
- This will only be available if `serrano` in added to `INSTALLED_APPS`

**Enhancements**
- Improve shared query email message

**Bugs**
- Unset the `limit` when a page range is not specified for export
- This prevents implicitly exporting only the first page

1842cac - Add `viewable` field to concept resource template

- da97a7ec - Unset limit when page or page range is not specified

The Access-Control-Allow-Credentials response header must be set to inform browsers that cookies may be supplied on the request.

This point release fixes a few issues in the CORS support when working with persisted sessions.

**Changes**
- Distribution endpoints were incorrectly assumed to not be useful for auto and key-based fields. This has been removed and now expose a distribution endpoint.
- `SharedQueriesResource` and `/api/queries/shared/` endpoint has been removed and the behavior has been merged in with `QueriesResource`. This simplifies things since a GET now returns all queries the user created as well as queries that have been shared with the user. Likewise, a POST will create a query and optionally share it. A DELETE can only be performed on queries the user creates.