Fixes#1064
Admin user operations (create, update, delete, toggle registration) were
failing with "CSRF token missing" error when accessed behind a reverse proxy.
This happened because the frontend was using plain fetch() instead of
fetchWithCsrf() utility which automatically includes the CSRF token header.
Changed all state-changing operations in AdminUsersPage to use fetchWithCsrf:
- createAdminUser (POST /admin/users)
- updateAdminUser (PUT /admin/users/:id)
- deleteAdminUser (DELETE /admin/users/:id)
- toggleRegistration (POST /admin/toggle-registration)
- Add admin-only users API: list/create/delete (prevent self-delete and last-admin deletion).
- Include is_admin in auth responses.
- Frontend: /admin/users page with table, selection, remove, Add User modal.
- Show “Manage users” in user menu for admins and optional sidebar link.
- Add i18n strings for admin UI.
- Enhance create user script to grant admin via optional third arg.
- Minor: set dev bootstrap user as admin in start script.
