Allow to spot User.disable with a new, dedicated UserAction

chaotic, as discussed off list we lack the ability to react to User.disable(String) with the current AuthorizableAction interface, while at the same time encouraging API consumers to disable users instead of removing them.

One use case for such a method would be deleting additional information stored with the user account such as e.g. profile data, preferences, as soon as the user gets disabled.

Since extending AuthorizableAction would require a major bump of the exported version, I would suggest to introduce a new UserAction interface, providing that new method, in correspondance to GroupAction, which covers group specific actions. And, in an ideal world AuthorizableAction.onPasswordChange would also reside with UserAction.

stillalex, wdyt?