Remove CSRF, add password change, admin user management

Stripped all CSRF token generation, injection, and validation since it
breaks behind Apache reverse proxy. Removed handlers/csrf.go, stripped
CSRFToken from PageData, removed validateCSRFToken from all POST handlers,
and cleaned up hidden inputs and JS CSRF references.

Added self-service password change at /password/ with current-password
verification and bcrypt update. New Password link in navbar.

Extended admin panel with user management: lists all users with join dates
and allows admins to delete other users (self-deletion blocked). Added
GetAllUsers() and DeleteUser() to models.

Co-authored-by: CommandCodeBot <noreply@commandcode.ai>

templates/pages/thread.html

@@ -105,3 +105,11 @@
 </body>
 </html>
 {{end}}
+{ target.classList.remove('post-highlighted'); }, 2000);
+            }
+        });
+    });
+    </script>
+</body>
+</html>
+{{end}}