Improve security of and make optional certain user API parameters

[hulbert]

This brings over the hidden isAdmin checkbox from @davidkaneda's dropbox branch (this code doesn't work so well without it) and then actually makes the marked "optional" fields (in the apidoc) optional. It also adds to the apidoc the fact that the API takes an array of roles.

Finally, it does not allow non-administrators to submit roles.

A note about a past suggestion of using something like _.extend user, _.pick req.body, 'name', 'email': I believe Mongoose's Document#set behaves similarly, and _.pick does not add key: null to the returned object if a parameter is missing so it should be okay to use this pattern of document.set _.pick req.body 'param1', 'param2' for optional API field edits.

[davidkaneda]

Users should already have their passwordDigest filtered out (it has a select: false on the attribute in the Mongoose Schema)

[davidkaneda]

Sorry about this @hulbert — Any chance you could merge with the most recent master branch? I'll merge as is and tidy up any bits later, thanks :)