Rethink permission handling for subject/courses

For now, the get_queryset method of SubjectType filters for permission ownership of the default django view permission – which has to be manually assigned. This is handled differently for CourseType where there is only a check whether the user has a person. Both ways of dealing with that don't seem particularly good...