Feature request: Add server-side enforcement of enable_account_interface

[martincarrere]

Summary

The enable_account_interface configuration flag currently enforces its
restriction at the UI layer only. The get_information handler
(GET /api/users/{id}/information/inputs) correctly gates form fields
behind the flag, but the corresponding write handler set_information
(PUT /api/users/{id}/information/inputs) contains no equivalent
server-side check.

As a result, any authenticated user can bypass the restriction by calling
the API directly, updating their email or username regardless of the flag value.

Motivation

In deployments where enable_account_interface: false is used alongside
SSO/OIDC/LDAP to keep Galaxy accounts synchronized with an external identity
provider, this gap allows users to desynchronize their Galaxy profile from
the upstream directory.

Proposed fix

Add a server-side guard in set_information mirroring the condition already
present in get_information, rejecting write requests when
enable_account_interface is false (and use_remote_user is not set).

Reporter

Reported by @martincarrere (see related GHSA discussion and draft plan https://gist.github.com/jmchilton/ca41e57ec1b1d9352a0fed6601e85eaa).