Add admin_required to admin_add_user

Access to the admin_add_user view should be restricted to administrators
only. Unfortunately, I accidentally omitted the `@admin_required`
decorator for this view. Since `@admin_required` encapsulates
`@login_required`, this means that anybody with access to the Document
Interface would be able to create a user accounts.

This is a fix for the issue reported on Bugtraq:
http://seclists.org/bugtraq/2015/Apr/8

securedrop/journalist.py

@@ -151,6 +151,7 @@ def admin_index():
 
 
 @app.route('/admin/add', methods=('GET', 'POST'))
+@admin_required
 def admin_add_user():
     if request.method == 'POST':
         form_valid = True