refactor(provisioning_api): consolidate user-edit field logic

[pringelmann]

• Related to: Re-use the new user modal to edit users (user management) #40903

Summary

Stage 1 of consolidating the two user-update endpoints:

• editUser (single-field PUT)
• editUserMultiField (multi-field PATCH)

These duplicated the per-field validate/apply rules. This extracts them into
private helpers and routes both endpoints through them, so each rule lives in
one place.

Mostly a refactor, but unifying the two endpoints' rules changes behavior in
three places. All intended:

• PATCH now gates the primary email on canEditProperty('email'), same as PUT
  already did. A self user whose email is locked (allow_user_to_change_email=false,
  or an LDAP-mapped account) can no longer change it via PATCH.
• PUT now applies the force_language policy in the language branch, so a
  subadmin editing another user is blocked when force_language is set
  (previously it only checked the language exists).
• Email validation goes through IEmailValidator, so the accepted/rejected set
  shifts vs filter_var (e.g. user@localhost is accepted on non-strict instances).

Request/response shapes and the OCS error codes / HTTP statuses are otherwise
unchanged. Existing tests still pass (a few updated slightly); new unit tests cover each helper plus the three
changes above.

Stage 2 will expand PATCH to full field parity and make editUser a thin wrapper
over it. Left out here so this stays scoped, since rerouting the long-standing
editUser path is a bigger behavioral change that warrants its own review imo.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI

• The content of this PR was partly generated using AI (mainly testing and reviewing)