System admin should not be able to read user's API key

[mKowalski256]

To Reproduce
Steps to reproduce the behavior:

1. Login as a userA, go to My RSpace -> My Profile page, generate API key.
2. Logout, login as a System Admin, go to System page, start 'Operating as' the userA
3. While operating as the userA, navigate to their profile, scroll down to 'API key and click on 'show key'
   -- the System Admin will be able to see the user's API key

Additionally, there is a sysadmin API allowing to retrieve users' API keys.

Expected behavior
Only user should be able to access their API key. While the System Admin is a privileged user, they shouldn't be able to impersonate users outside the impersonations scheme provided by the GUI app itself.

There may be specific migration scenarios that use API to re-create user's content, and for that they need to create/retrieve/delete API keys. We may keep supporting API methods meant for that, but these should be guarded by deployment property that is disabled by default.

Also note that while action of viewing user's API key is traceable (logged in httpRequests.log and error.log) it's maybe worth additional logging in SecurityEvents.txt.

Additional context
Based on a reported issue #58.

[mKowalski256]

Fixed with commit 73ae18d522a - System Admin should no longer be able to retrieve API key generated by the user.

Note that System Admin can still revoke/regenerate new API key for the user - these are useful in some support scenarios, and risk-wise it's similar to how we allow System Admin to change user's password.