Fix profile controller update method

[wacii]

The recently added param filtering removed isAdmin from user, which prevents the admin toggle from working.

Also fixed the cannot demote self check. Was using userId from params, but against convention, the id is not included in the path but the request body.

The admin toggle code was refactored for clarity and a test was added.

Now that I look at it, I had to change the authenticated user is admin check as well. Not sure how this was working before...

[jspaine]

Huh, yeah that's a bit weird the put route has no userId param. Didn't you add the parseInt(req.params.userId because it was a string and req.user._id was a number though?!?

[wacii]

I guess I was just assuming? The code ended up getting changed a number of times, so I suppose I just lost track of what had and had not been tested. I really should have just added some tests.