Add admin OAuth limit setting

What does this MR do and why?

Implement Feature proposal: ability to prevent admins/gro... (#375043 - closed) an application setting to disallow administrator accounts from connecting OAuth applications with the scopes api, read_api, read_repository, write_repository and sudo. This feature is intended to prevent OAuth phishing of admin accounts. It does not prevent an actual connect, but an attacker isn't able to bypass the Forbidden consent screen unless they would have a way to bypass our CSRF protection. This will also not prevent trusted system OAuth applications from working (e.g. GitLab pages) as those bypass the consent screen. Turns out I was wrong about trusted OAuth applications, this has been addressed in commit 36f7b20d

Screenshots or screen recordings

Screenshot of Forbidden screen for admin accounts:

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

1. Enable the feature curl --header "PRIVATE-TOKEN: glpat-..." http://gdk.test:3000/api/v4/application/settings\?disable_admin_oauth_scopes=true -X PUT
2. Create an OAuth application with a scope out of api, read_api, read_repository, write_repository or sudo
3. Try to connect the application with an admin account http://gdk.test:3000/oauth/authorize?client_id=xxxx&redirect_uri=http://localhost:4567&response_type=code
4. Observe the Forbidden screen not allowing to connect
5. Repeat 3. with a non-admin user, that user will be able to connect

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.