users: don't allow admins to edit user levels directly.

Don't allow admins to bypass promotion restrictions by manually updating
user levels with a `PUT /users/:id` API call. Level changes have to go
through the /admin/users/:id/edit page.

app/policies/user_policy.rb

@@ -47,7 +47,6 @@ class UserPolicy < ApplicationPolicy
       :disable_tagged_filenames, :disable_cropped_thumbnails,
       :disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode,
       :disable_post_tooltips,
-      (:level if CurrentUser.is_admin?)
     ].compact
   end
 

test/functional/users_controller_test.rb

@@ -335,11 +335,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
 
       context "changing the level" do
         should "not work" do
-          @cuser = create(:user)
-          put_auth user_path(@user), @cuser, params: {:user => {:level => 40}}
+          @owner = create(:owner_user)
+          put_auth user_path(@user), @owner, params: { user: { level: User::Levels::BUILDER }}
 
           assert_response 403
-          assert_equal(20, @user.reload.level)
+          assert_equal(User::Levels::MEMBER, @user.reload.level)
         end
       end