Add a validator to the /admin/ form for changing email addresses

Add a validator to the /admin/ form for changing email addresses

As Jonathan recently demonstrated, it was possible to change the primary
email address on one account to be the secondary email address of
another one when using /admin/ (it was prevented when using the user
facing forms), which then caused conflicts in the change track and
replication steps later.

Add a validator to the admin form to avoid this mistake in the future.

This doesn't entirely remove all possibilities, so we should consider
adding a database trigger to enforce it as well, but it closes the most
obvious hole and makes the other ones much harder to hit (but you can
still cause the same damage through psql or so, of course).