DT-1496: Prevent update self from updating institution id

[rushtong]

Addresses

Back end work for https://broadworkbench.atlassian.net/browse/DT-1496

Summary

Prevent users from updating their institution id via the self update endpoint.
If a user tries to do this, return a bad request response.
Relatively large change to resource test due to the removal of previous logic and some other minor cleanup efforts.
See DataBiosphere/duos-ui#2821 for related front end work.

---

Have you read CONTRIBUTING.md lately? If not, do that first.

• Label PR with a Jira ticket number and include a link to the ticket
• Label PR with a security risk modifier [no, low, medium, high]
• PR describes scope of changes
• Get a minimum of one thumbs worth of review, preferably two if enough team members are available
• Get PO sign-off for all non-trivial UI or workflow changes
• Verify all tests go green
• Test this change deployed correctly and works on dev environment after deployment

[rushtong]

This was only really needed for testing.

[pshapiro4broad]

That's good because since this is a mutable object the results aren't valid over time. It would be better to make this immutable using record so you don't have write and maintain these methods for tests. But that would require a bigger change.

[pshapiro4broad]

A few comments, looks OK overall

[pshapiro4broad]

That's good because since this is a mutable object the results aren't valid over time. It would be better to make this immutable using record so you don't have write and maintain these methods for tests. But that would require a bigger change.

[pshapiro4broad]

If this was using openapi generated code, there would be a different object type for this request (vs the admin API) so we wouldn't need to add a specific validation for this field.

We could do this here too, e.g., have both SelfUserUpdateFields and AdminUserUpdateFields. Then the 400 would be thrown when gson.fromJson() is called.

[fboulnois]

👍