Fix privilege escalation leak

A PUT request on /api/user/{user-id} by the user themselves would allow
too much, and would allow self-granting of roles (including admin),
group membership (so join any arbitrary project) and pretend to be
service accounts.

pillar/api/eve_settings.py

@@ -721,10 +721,6 @@ users = {
     'item_methods': ['GET', 'PUT', 'PATCH'],
     'public_item_methods': ['GET'],
 
-    # By default don't include the 'auth' field. It can still be obtained
-    # using projections, though, so we block that in hooks.
-    'datasource': {'projection': {'auth': 0}},
-
     'schema': users_schema
 }