feat(user): implement user restrictions

## APIs Restricted for Restricted Users

A restricted user is blocked from performing the following actions, and will typically receive a `403 Forbidden` error:

*   **Chat & Notifications:**
    *   Sending any chat messages (public or private).
    *   Joining or leaving chat channels.
    *   Creating new PM channels.
*   **User Profile & Content:**
    *   Uploading a new avatar.
    *   Uploading a new profile cover image.
    *   Changing their username.
    *   Updating their userpage content.
*   **Scores & Gameplay:**
    *   Submitting scores in multiplayer rooms.
    *   Deleting their own scores (to prevent hiding evidence of cheating).
*   **Beatmaps:**
    *   Rating beatmaps.
    *   Taging beatmaps.
*   **Relationship:**
    *   Adding friends or blocking users.
    *   Removing friends or unblocking users.
*   **Teams:**
    *   Creating, updating, or deleting a team.
    *   Requesting to join a team.
    *   Handling join requests for a team they manage.
    *   Kicking a member from a team they manage.
*   **Multiplayer:**
    *   Creating or deleting multiplayer rooms.
    *   Joining or leaving multiplayer rooms.

## What is Invisible to Normal Users

*   **Leaderboards:**
    *   Beatmap leaderboards.
    *   Multiplayer (playlist) room leaderboards.
*   **User Search/Lists:**
    *   Restricted users will not appear in the results of the `/api/v2/users` endpoint.
    *   They will not appear in the list of a team's members.
*   **Relationship:**
    *   They will not appear in a user's friend list (`/friends`).
*   **Profile & History:**
    *   Attempting to view a restricted user's profile, events, kudosu history, or score history will result in a `404 Not Found` error, effectively making their profile invisible (unless the user viewing the profile is the restricted user themselves).
*   **Chat:**
    *   Normal users cannot start a new PM with a restricted user (they will get a `404 Not Found` error).
*   **Ranking:**
    *   Restricted users are excluded from any rankings.

### How to Restrict a User

Insert into `user_account_history` with `type=restriction`.

```sql
-- length is in seconds
INSERT INTO user_account_history (`description`, `length`, `permanent`, `timestamp`, `type`, `user_id`) VALUE ('some description', 86400, 0, '2025-10-05 01:00:00', 'RESTRICTION', 1);
```

---

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

app/router/v2/score.py

@@ -255,9 +255,6 @@ async def get_beatmap_scores(
     ] = LeaderboardType.GLOBAL,
     limit: Annotated[int, Query(ge=1, le=200, description="返回条数 (1-200)")] = 50,
 ):
-    if legacy_only:
-        raise HTTPException(status_code=404, detail="this server only contains lazer scores")
-
     all_scores, user_score, count = await get_leaderboard(
         db,
         beatmap_id,
@@ -355,6 +352,7 @@ async def get_user_all_beatmap_scores(
                 Score.beatmap_id == beatmap_id,
                 Score.user_id == user_id,
                 col(Score.passed).is_(True),
+                ~User.is_restricted_query(col(Score.user_id)),
             )
             .order_by(col(Score.total_score).desc())
         )
@@ -433,7 +431,9 @@ async def create_playlist_score(
     current_user: ClientUser,
     version_hash: Annotated[str, Form(description="谱面版本哈希")] = "",
 ):
-    # 立即获取用户ID，避免懒加载问题
+    if await current_user.is_restricted(session):
+        raise HTTPException(status_code=403, detail="You are restricted from submitting multiplayer scores")
+
     user_id = current_user.id
 
     room = await session.get(Room, room_id)
@@ -499,7 +499,9 @@ async def submit_playlist_score(
     redis: Redis,
     fetcher: Fetcher,
 ):
-    # 立即获取用户ID，避免懒加载问题
+    if await current_user.is_restricted(session):
+        raise HTTPException(status_code=403, detail="You are restricted from submitting multiplayer scores")
+
     user_id = current_user.id
 
     item = (await session.exec(select(Playlist).where(Playlist.id == playlist_id, Playlist.room_id == room_id))).first()
@@ -574,6 +576,7 @@ async def index_playlist_scores(
                 PlaylistBestScore.playlist_id == playlist_id,
                 PlaylistBestScore.room_id == room_id,
                 PlaylistBestScore.total_score < cursor,
+                ~User.is_restricted_query(col(PlaylistBestScore.user_id)),
             )
             .order_by(col(PlaylistBestScore.total_score).desc())
             .limit(limit + 1)
@@ -641,6 +644,7 @@ async def show_playlist_score(
                         PlaylistBestScore.score_id == score_id,
                         PlaylistBestScore.playlist_id == playlist_id,
                         PlaylistBestScore.room_id == room_id,
+                        ~User.is_restricted_query(col(PlaylistBestScore.user_id)),
                     )
                 )
             ).first()
@@ -658,6 +662,7 @@ async def show_playlist_score(
                 select(PlaylistBestScore).where(
                     PlaylistBestScore.playlist_id == playlist_id,
                     PlaylistBestScore.room_id == room_id,
+                    ~User.is_restricted_query(col(PlaylistBestScore.user_id)),
                 )
             )
         ).all()
@@ -702,6 +707,7 @@ async def get_user_playlist_score(
                     PlaylistBestScore.user_id == user_id,
                     PlaylistBestScore.playlist_id == playlist_id,
                     PlaylistBestScore.room_id == room_id,
+                    ~User.is_restricted_query(col(PlaylistBestScore.user_id)),
                 )
             )
         ).first()