Skip to content

Commit 2dfe03d

Browse files
authored
Merge branch 'dev' into dr_1830
2 parents 883219a + 1fdd5bb commit 2dfe03d

9 files changed

Lines changed: 1356 additions & 103 deletions

File tree

package.json

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,8 @@
9090
"populate-cve:stage": "NODE_ENV=staging node src/scripts/populate-cve.js",
9191
"populate-cve:int": "NODE_ENV=integration node src/scripts/populate-cve.js",
9292
"populate-cve:prd": "NODE_ENV=production node src/scripts/populate-cve.js",
93+
"generate": "NODE_ENV=test node src/scripts/test_data/generate.js",
94+
"reset-keys": "NODE_ENV=test node src/scripts/test_data/reset_keys.js",
9395
"start:dev": "node src/swagger.js && TZ=utc NODE_ENV=development node src/scripts/updateOpenapiHost.js && TZ=utc NODE_ENV=development node-dev src/index.js",
9496
"dev": "node src/swagger.js && TZ=utc NODE_ENV=development node src/scripts/updateOpenapiHost.js && TZ=utc NODE_ENV=development node-dev src/index.js",
9597
"start:stage": "node src/swagger.js && NODE_ENV=staging node src/scripts/updateOpenapiHost.js && NODE_ENV=staging node src/index.js",

src/controller/registry-org.controller/registry-org.controller.js

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -294,6 +294,13 @@ async function updateOrg (req, res, next) {
294294

295295
// Eventually we should validate this, but this is a bit tricky.
296296
if (reviewOrg) {
297+
// For review objects, verify the provided UUID matches the target review object's UUID
298+
const providedUUID = body?.UUID || body?.uuid
299+
if (providedUUID && providedUUID !== reviewOrg.uuid) {
300+
await session.abortTransaction()
301+
return res.status(400).json(error.uuidProvided('org'))
302+
}
303+
297304
const updateResult = await reviewRepo.updateReviewOrgObject(body, reviewOrg.uuid, { session })
298305
if (updateResult) {
299306
updatedOrg = reviewOrg
@@ -307,6 +314,15 @@ async function updateOrg (req, res, next) {
307314
}
308315
}
309316

317+
// Verify that the provided UUID matches the existing organization's immutable database UUID
318+
if (org) {
319+
const providedUUID = body?.UUID || body?.uuid
320+
if (providedUUID && providedUUID !== org.UUID) {
321+
await session.abortTransaction()
322+
return res.status(400).json(error.uuidProvided('org'))
323+
}
324+
}
325+
310326
// Validate org
311327
const result = repo.validateOrg(body, { session })
312328
if (!result.isValid) {

src/controller/registry-user.controller/registry-user.controller.js

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -295,6 +295,19 @@ async function updateUser (req, res, next) {
295295
}
296296
}
297297

298+
// Allow existing UUIDs to be passed, but block any attempts to mutate them
299+
if (userToEdit) {
300+
if (body?.UUID || body?.uuid) {
301+
if (body.UUID) body.UUID = userToEdit.UUID
302+
if (body.uuid) body.uuid = userToEdit.UUID
303+
}
304+
305+
if (body?.org_UUID || body?.org_uuid) {
306+
if (body.org_UUID) body.org_UUID = userToEdit.org_UUID
307+
if (body.org_uuid) body.org_uuid = userToEdit.org_UUID
308+
}
309+
}
310+
298311
if (body.org_short_name && !isSecretariat) {
299312
logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
300313
return res.status(403).json(error.notAllowedToChangeOrganization())
@@ -387,9 +400,10 @@ async function updateUser (req, res, next) {
387400
}
388401
}
389402

390-
// UUID of the user will not change, lets get it before we write to avoid read after write issues.
403+
// Move lookups of immutable properties BEFORE the transaction mutation writes to completely bypass read-after-write anomalies
391404
const requestingUserUUID = await userRepo.getUserUUID(req.ctx.user, req.ctx.org, { session })
392-
updatedUserUUID = await userRepo.getUserUUID(req.ctx.user, org.UUID)
405+
updatedUserUUID = await userRepo.getUserUUID(req.ctx.user, org.UUID, { session })
406+
393407
updatedUser = await userRepo.updateUserFull(userToEdit.UUID, body, { session }, true, requestingUserUUID)
394408
await session.commitTransaction()
395409
} catch (error) {
@@ -456,7 +470,8 @@ async function deleteUser (req, res, next) {
456470
}
457471

458472
async function grantRole (req, res, next) {
459-
const session = await mongoose.startSession()
473+
// Explicitly configuring causalConsistency flag for clear DocumentDB context documentation
474+
const session = await mongoose.startSession({ causalConsistency: false })
460475
try {
461476
const orgShortName = req.ctx.params.shortname
462477
const username = req.ctx.params.username
@@ -519,7 +534,8 @@ async function grantRole (req, res, next) {
519534
}
520535

521536
async function revokeRole (req, res, next) {
522-
const session = await mongoose.startSession()
537+
// Explicitly configuring causalConsistency flag for clear DocumentDB context documentation
538+
const session = await mongoose.startSession({ causalConsistency: false })
523539
try {
524540
const orgShortName = req.ctx.params.shortname
525541
const username = req.ctx.params.username

src/repositories/baseOrgRepository.js

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -594,8 +594,6 @@ class BaseOrgRepository extends BaseRepository {
594594
// Write - use org type specific model
595595
if (registryObjectRaw.authority.includes('SECRETARIAT')) {
596596
// Write
597-
// testing:
598-
registryObjectRaw.authority = 'SECRETARIAT'
599597
const SecretariatObjectToSave = new SecretariatOrgModel(registryObjectRaw)
600598
if (isSecretariat) {
601599
registryObject = await SecretariatObjectToSave.save(options)

0 commit comments

Comments
 (0)