Skip to content

Commit 71ca1b2

Browse files
committed
Users who are not admin or sec cant change stuff
1 parent ab4d4bf commit 71ca1b2

1 file changed

Lines changed: 10 additions & 1 deletion

File tree

src/controller/org.controller/org.controller.js

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -797,7 +797,7 @@ async function createUser (req, res, next) {
797797
if (!isSecretariat && isAdmin) {
798798
if (requesterOrgUUID !== orgUUID) {
799799
await session.abortTransaction(); session.endSession()
800-
return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
800+
return res.status(403).json(error.notOrgAdminOrSecretariatUpdate()) // The Admin user must belong to the new user's organization
801801
}
802802
}
803803

@@ -928,6 +928,7 @@ async function updateUser (req, res, next) {
928928
}
929929

930930
const queryParameters = req.ctx.query
931+
931932
// Specific check for org_short_name (Secretariat only)
932933
if (queryParameters.org_short_name && !isRequesterSecretariat) {
933934
logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
@@ -954,6 +955,14 @@ async function updateUser (req, res, next) {
954955
}
955956
}
956957

958+
if (!isRequesterSecretariat && !isAdmin) {
959+
if (targetUserUUID !== requesterUUID) {
960+
logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
961+
await session.abortTransaction(); await session.endSession()
962+
return res.status(403).json(error.notSameUserOrSecretariatUpdate())
963+
}
964+
}
965+
957966
// handlers
958967
const handlers = {}
959968
const keys = Object.keys(queryParameters)

0 commit comments

Comments
 (0)