Remove `username` from `User#sanitize_attrs` callback

Merged Robert Speicher requested to merge rs-remove-username-from-sanitize-attrs into master

This attribute is since validated against DynamicPathValidator, which has strict requirements for the characters allowed, and should no longer need to be sanitized in a callback before saving.

This has additional benefits in our test suite, where every creation of a User record was calling Sanitize.clean on a username value that was always clean, since we're the ones generating it.