Reactivate is_demo_user

[jsangmeister]

The field is_demo_user is currently not evaluated in the backend. In OS3, the following routes were forbidden to be used on users where the flag was set:

• update
• set_password
• reset_password
• bulk_set_state
• bulk_alter_groups

Routes which were generally forbidden in demo mode (at least one demo user given), independent of the payload:

• bulk_generate_passwords
• bulk_reset_passwords_to_default
• destroy
• bulk_delete
• mass_invite_email

Translated to OS4 actions, this would mean the following actions are forbidden:

• user.update (except group G to update the field is_demo_user)
• user.update_self
• user.set_password
• user.set_password_self
• user.reset_password_to_default
• user.generate_new_password
• user.delete
• user.send_invitation_email

Additionally, maybe forget_password should also be forbidden.

Another approach for the update actions would be to allow the action itself, but to blacklist specific fields like username.

[r-peschke]

IMO we decided, that we don't need a demo_user anymore in OS4.
If a kind of demo user is ńecessary, we should solve this with permissions, i.e. create a demo-group with the permissions for a demo user.

[jsangmeister]

currently not needed