Allow people to see friends' achievements

Right now, anyone can see another user's achievements if they know that user's PK and can type it into the URL. First, security permissions should be changed so that a user can only view another user's achievements if they are allowed to see that user's profile. Second, there should be some way of accessing achievements from something like a user's friends list.