1. The edit user page allows making a user an admin or an auditor. This creates
   a virtual attribute called `access_level` which can have `regular`, `admin`,
   or `auditor` as valid values.

2. The `access_level=` method was broken, which led to the page not accepting
   changes to a user's access level.

3. This commit fixes the issue and adds specs for `access_level=`