api: Require can_create_users permission to create users via API.

Allowing any admins to create arbitrary users is not ideal because it
can lead to abuse issues.  We should require something stronger that
requires the server operator's approval and thus we add a new
can_create_users permission.

tools/test-api

@@ -47,6 +47,10 @@ with test_server_running(force=options.force, external_host='zulipdev.com:9981')
     email = 'iago@zulip.com'  # Iago is an admin
     realm = get_realm('zulip')
     user = get_user(email, realm)
+    # Required to test can_create_users endpoints.
+    user.can_create_users = True
+    user.save(update_fields=["can_create_users"])
+
     api_key = get_api_key(user)
     site = 'http://zulip.zulipdev.com:9981'
     client = Client(