Private Accounts

[thedekel]

Rather than allowing users to delete or deauthorize their accounts and then do nothing except disable log-ins (since #142 establishes that attendance data should be kept after an account is deleted), I propose adding an option to make attendance data only visible to org-admins and super-admins.

i.e. a user can go to his profile page (#80) and turn on an option to turn his attendance data private (disabled by default). Once that's done, the user will appear as "[Private User]" (or such) on attendance lists, unless viewed by that org's admin, or by a super-admin.