Tbolt/4411 Fixes issue where PUTs against /states/:stateId/affiliations/:id could assign invalid roles

[tbolt]

Resolves #4411

Description

Adds a check to limit State Admins to only update affiliations to either eAPD State Contractor or eAPD State Staff and that Fed Admins can only update affiliations to eAPD State Admin

Significant changes or possible side effects

Updating certifications uses the same logic as affiliations and was updated to support this new check

Automated test cases written

Given	When	Then	Type (jest, tap, cypress)
a state admin	updating an affiliation to eAPD System Admin (or similar elevated role)	fails updating role	tap
a fed admin	updating an affiliation to eAPD State Staff (or non-State Admin role)	fails updating role	tap
a fed admin	updating an affiliation match without a corresponding certification	fails updating role	tap

Steps to manually verify this change

1. Use an HTTP client (Postman, Insomnia, Paw, etc...)
2. Login to APD as a state admin (that has been approved as state admin)
3. Grab the JWT token from your cookies
4. Add that as a Bearer token in your HTTP client
5. Hit the update affiliations endpoint (ex. PUT http://localhost:8081/states/ak/affiliations/1)
6. Attempt to update to an invalid role ID
7. Verify a 400 error is returned with an error message
8. Repeat above steps as a fed admin attempting to assign a role that's not State Admin

This pull request is ready to code review when

• Automated tests are updated (and all tests are passing)
• New automated test cases are documented above
• Pull request has been labeled, if applicable with feature, content, bug,
  tests, refactor
• Associated OpenAPI documentation has been updated
• The experience passes a basic manual accessibility audit (keyboard nav,
  screenreader, text scaling) OR an exemption is documented

This pull request is ready to test when

• Code has been reviewed by someone other than the original author

This pull request is ready to review when the QA has

• Verified the functionality related to the change
• Verified that the change works with Narrator on Windows
• Verified that the change works with VoiceOver on Mac
• Verified all updated pages with the WAVE tool
• Verified tab and keyboard navigation functionality

This pull request can be merged when

• Design has approved the experience
• Product has approved the experience

[codecov-commenter]

Codecov Report

Merging #4412 (0dadb78) into main (36c521a) will decrease coverage by 0.49%.
The diff coverage is 84.21%.

@@            Coverage Diff             @@
##             main    #4412      +/-   ##
==========================================
- Coverage   95.05%   94.56%   -0.50%     
==========================================
  Files         314      314              
  Lines        6978     6992      +14     
  Branches     1526     1526              
==========================================
- Hits         6633     6612      -21     
- Misses        339      369      +30     
- Partials        6       11       +5     

Impacted Files	Coverage Δ
api/routes/auth/certifications/put.js	95.00% <ø> (ø)
api/db/affiliations.js	73.07% <83.33%> (+13.07%)	⬆️
api/routes/states/affilitations/patch.js	92.59% <100.00%> (+0.28%)	⬆️
...y-state-personnel/ApdStateProfileMedicaidOffice.js	59.64% <0.00%> (-29.83%)	⬇️
...apd/activities/schedule-and-milestones/Schedule.js	74.19% <0.00%> (-19.36%)	⬇️
...w/NameAndFundingSource/NameAndFundingSourceForm.js	85.18% <0.00%> (-11.12%)	⬇️
...src/pages/apd/proposed-budget/IncentivePayments.js	84.74% <0.00%> (-10.17%)	⬇️
...surances-and-compliance/AssurancesAndCompliance.js	88.33% <0.00%> (-5.00%)	⬇️
...ctivities/activities-dashboard/ActivityReadOnly.js	90.54% <0.00%> (-4.06%)	⬇️
web/src/components/DateField.js	93.54% <0.00%> (-3.23%)	⬇️
... and 2 more

Impacted Files	Coverage Δ
api/routes/auth/certifications/put.js	95.00% <ø> (ø)
api/db/affiliations.js	73.07% <83.33%> (+13.07%)	⬆️
api/routes/states/affilitations/patch.js	92.59% <100.00%> (+0.28%)	⬆️
...y-state-personnel/ApdStateProfileMedicaidOffice.js	59.64% <0.00%> (-29.83%)	⬇️
...apd/activities/schedule-and-milestones/Schedule.js	74.19% <0.00%> (-19.36%)	⬇️
...w/NameAndFundingSource/NameAndFundingSourceForm.js	85.18% <0.00%> (-11.12%)	⬇️
...src/pages/apd/proposed-budget/IncentivePayments.js	84.74% <0.00%> (-10.17%)	⬇️
...surances-and-compliance/AssurancesAndCompliance.js	88.33% <0.00%> (-5.00%)	⬇️
...ctivities/activities-dashboard/ActivityReadOnly.js	90.54% <0.00%> (-4.06%)	⬇️
web/src/components/DateField.js	93.54% <0.00%> (-3.23%)	⬇️
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 36c521a...0dadb78. Read the comment docs.

[thetif]

great work! thanks for the speedy turn around. I just had a couple of optimization suggestions

[cms-eapd-bot]

See this pull request in action: https://ec2-3-215-45-51.compute-1.amazonaws.com

0dadb78

[Sun-Mountain]

🚀

[mirano-darren]

Tested using Postman and everything looks good!
State Admins are only allowed to approve State Staff and Contractors
Fed Admins are only allowed to approve State Admins

[jeromeleecms]

Did a quick check on the FedAdmin functionality. Confirmed I could not approve a user without a letter. Everything seems OK and functioning as normal.

Will defer to the Dev/QA to verify that the patch was made correctly otherwise.

[jeromeleecms]

Waiting for backend tests to be resolved before we put this in.