update_user_backend: Allow authorized org owners to change user emails.

This adds a new special UserProfile flag can_change_user_emails(disabled
by default) and the ability for changing the email address of users in
the realm via update_user_backend. This is useful for allowing
organizations to update user emails without needing to set up a SCIM
integration, but since it gives the ability to hijack user accounts, it
needs to be behind this additional permission and can't be just given to
organization owners by default. Analogical to how the
create_user_backend endpoint works.

tools/test-api

@@ -59,7 +59,8 @@ with test_server_running(
     # Prepare the admin client
     email = "iago@zulip.com"  # Iago is an admin
     realm = get_realm("zulip")
-    user = get_user(email, realm)
+    iago = get_user(email, realm)
+    user = iago
 
     # Iago needs permission to manage all user groups.
     admins_group = NamedUserGroup.objects.get(
@@ -69,9 +70,10 @@ with test_server_running(
         realm, "can_manage_all_groups", admins_group, acting_user=None
     )
 
-    # Required to test can_create_users endpoints.
+    # Required to test can_create_users and can_change_user_emails endpoints.
     user.can_create_users = True
-    user.save(update_fields=["can_create_users"])
+    user.can_change_user_emails = True
+    user.save(update_fields=["can_create_users", "can_change_user_emails"])
 
     api_key = get_api_key(user)
     site = "http://zulip.zulipdev.com:9981"
@@ -85,6 +87,7 @@ with test_server_running(
     email = "desdemona@zulip.com"  # desdemona is an owner
     realm = get_realm("zulip")
     user = get_user(email, realm)
+
     api_key = get_api_key(user)
     site = "http://zulip.zulipdev.com:9981"
     owner_client = Client(