Prevent use of expiries to circumvent restrictions on removing user groups

Prevent use of expiries to circumvent restrictions on removing user groups

I hadn't thought through what happens if a user has permission to add but
not remove a user group, or vice versa. This cleans up the UI logic,
showing controls that are available to users and vice versa, and the data
validation as well.

In particular, if user B can add users to the 'sysop' group but not remove
them from it, and user X is a sysop expiring in 1 year, user B should not
be allowed to modify the expiry to 1 second (which has the same effect as
removing the group). With this patch, user B can only extend user X's
sysop rights, perhaps to renew their temporary adminship for another year;
they can no longer bring forward the expiry date.

I'm omitting this check from the API on purpose. The API's validation
of the expiry dates seems to be there solely to reject bogus/invalid data.
Notably, the API doesn't throw an error when the user passes a group that
they can't add or remove.

Also added a # in the UI to show groups whose expiry cannot be brought
forward.

Bug: T156784
Change-Id: I0c0dadc2035c0cdf19accd5a97f08e33151a08ba