users: don't allow admins to edit user levels directly.

Don't allow admins to bypass promotion restrictions by manually updating
user levels with a `PUT /users/:id` API call. Level changes have to go
through the /admin/users/:id/edit page.

app/policies/user_policy.rb

@@ -47,7 +47,6 @@ class UserPolicy < ApplicationPolicy
       :disable_tagged_filenames, :disable_cropped_thumbnails,
       :disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode,
       :disable_post_tooltips,
-      (:level if CurrentUser.is_admin?)
     ].compact
   end