Fix bug with removing email auth for broadcast service

We accidently were removing the ability for a service to do email auth
if it was a broadcast service with email auth. This fixes it.

Note, it might be up for debate later whether we let broadcast services
use email auth (I think we should) so this might change in time, but we
will fix this bug regardless.

Note, worth glancing at `SERVICE_PERMISSION_TYPES` which contains a list
of permissions that a service might have to make sure I haven't missed
any others. The one that looks potentially dodgy is the
`EDIT_FOLDER_PERMISSIONS` permission but I can't see this being used
anywhere in the API or the admin app so think it is likely now defunct
and a user level permission so we don't need to worry about it.

app/dao/broadcast_service_dao.py

@@ -3,7 +3,7 @@ from datetime import datetime
 from flask import current_app
 
 from app import db
-from app.models import ServiceBroadcastSettings, ServicePermission, Organisation, BROADCAST_TYPE
+from app.models import ServiceBroadcastSettings, ServicePermission, Organisation, BROADCAST_TYPE, EMAIL_AUTH_TYPE
 from app.dao.dao_utils import transactional
 
 
@@ -20,7 +20,11 @@ def set_broadcast_service_type(service, service_mode, broadcast_channel, provide
 
     ServicePermission.query.filter(
         ServicePermission.service_id == service.id,
-        ServicePermission.permission != BROADCAST_TYPE
+        ServicePermission.permission != BROADCAST_TYPE,
+        # Email auth is an exception to the other service permissions (which relate to what type
+        # of notifications a service can send) where a broadcast service is allowed to have the
+        # email auth permission (but doesn't have to)
+        ServicePermission.permission != EMAIL_AUTH_TYPE
     ).delete()
 
     # Refresh the service object as it has references to the service permissions but we don't yet