Simplify: Remove admin attribute from Educator and from authorization path

[kevinrobinson]

Who is this PR for?

developers and project leads

What problem does this PR fix?

The way that staff_type influences permissions is complicated and the interaction between values in Aspen and Insights isn't clear in the UI or code. This leaves open edge cases related to critical path authorization. The first time the educator record is created, the staff_type value influences schoolwide_access and can_view_restricted_notes but the import process only does this once and these relationships aren't kept in sync over time if the underlying SIS staff_type value changes.

What does this PR do?

Removes admin as a value that's computed from staff_type and as a result remove staff_type from influencing Insights authorization altogether. This makes it an explicit steps for project leads to allow new users schoolwide access or to restricted notes, which this PR views as a security improvement.

Separately, this tightens authorization in several controllers where were using admin+districtwide_access in endpoints where we really should be restricting access to project leads only (and where the UI already had removed these links).

Checklists

• Author checked latest in IE - Home page
• Author checked latest in IE - My Sections page
• Author checked latest in IE - Section page
• Author checked latest in IE - Homeroom page
• Author checked latest in IE - Service upload
• Author checked latest in IE - Districtwide
• Author checked latest in IE - Is the service working
• Author checked latest in IE - Is the service working
• Author checked latest in IE - Student Profile
• Author checked latest in IE - Student Report PDF
• Author checked latest in IE - School Overview
• Author improved specs for code in need of better test coverage
• Author included specs for new code

(this still needs testing)