`/api/_theme/options` endpoint is unprotected

[pi0]

Checking current implementation, we allow any user to post a body to write to server storage (here).

An attacker can cause large file writes or intentionally break the whole production website by corrupting the theme config and its types.

A quick fix would be only enabling and allowing updates via a secret to authenticate.

[atinux]

We need to disable in production indeed