I can't read

Author: david-rocca

src/controller/org.controller/org.controller.js

@@ -905,9 +905,14 @@ async function updateUser (req, res, next) {
 
     if (!isRequesterSecretariat && !isAdmin) {
       if (targetUserUUID !== requesterUUID) {
-        logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
+        if (!targetUserUUID) {
+          logger.info({ uuid: req.ctx.uuid, message: 'User DNE' })
+          await session.abortTransaction(); await session.endSession()
+          return res.status(404).json(error.userDne(usernameParams))
+        }
+        logger.info({ uuid: req.ctx.uuid, message: 'Not same user or secretariat' })
         await session.abortTransaction(); await session.endSession()
-        return res.status(403).json(error.notSameUserOrSecretariatUpdate())
+        return res.status(403).json(error.notSameUserOrSecretariat())
       }
     }
 
@@ -1027,6 +1032,13 @@ async function updateUser (req, res, next) {
       }
     }
 
+    if (queryParameters.active) {
+      if (requesterUUID === targetUserUUID) {
+        await session.abortTransaction; await session.endSession()
+        return res.status(403).json(error.notOrgAdminOrSecretariatUpdate())
+      }
+    }
+
     // Check to make sure we are NOT self demoting
     if (removeRolesCollector.includes('ADMIN')) {
       if (requesterUUID === targetUserUUID) {
@@ -1266,19 +1278,23 @@ async function resetSecret (req, res, next) {
     try {
       const isSecretariatLeg = await orgRepo.isSecretariat(requesterShortName, { session })
       const isSecretariatReg = await orgRegistryRepo.isSecretariat(requesterShortName, { session })
+
       const isSecretariat = isSecretariatLeg && isSecretariatReg
 
       const orgUUID = await orgRepo.getOrgUUID(orgShortName, { session }) // userUUID may be null if user does not exist
       const orgRegUUID = await orgRegistryRepo.getOrgUUID(orgShortName, { session })
+      const requesterOrgUUID = await orgRegistryRepo.getOrgUUID(requesterShortName, { session })
 
+      const requesterUUID = await userRegistryRepo.getUserUUID(requesterUsername, requesterOrgUUID, { session })
+      const targetUserUUID = await userRegistryRepo.getUserUUID(username, orgRegUUID, { session })
       // check if orgUUID and orgRegUUID are the same
       if (orgUUID.toString() !== orgRegUUID.toString()) {
         logger.info({ uuid: req.ctx.uuid, message: 'The organization UUID and the organization registry UUID are not the same.' })
         return res.status(500).json(error.internalServerError())
       }
 
       if (!orgUUID && !orgRegUUID) {
-        logger.info({ uuid: req.ctx.uuid, messsage: orgShortName + ' organization does not exist.' })
+        logger.info({ uuid: req.ctx.uuid, message: orgShortName + ' organization does not exist.' })
         return res.status(404).json(error.orgDnePathParam(orgShortName))
       }
 
@@ -1291,14 +1307,24 @@ async function resetSecret (req, res, next) {
       const oldUserRegistry = await userRegistryRepo.findOneByUserNameAndOrgUUID(username, orgRegUUID, null, { session })
 
       if (!oldUser && !oldUserRegistry) {
-        logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' })
+        logger.info({ uuid: req.ctx.uuid, message: username + ' user does not exist.' })
         return res.status(404).json(error.userDne(username))
       }
 
       const isLegAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName, false, { session })
       const isRegAdmin = await userRegistryRepo.isAdmin(requesterUsername, requesterShortName, true, { session })
       const isAdmin = isLegAdmin && isRegAdmin
 
+      if (!isSecretariat && !isAdmin) {
+        if (targetUserUUID !== requesterUUID) {
+          if (!targetUserUUID) {
+            logger.info({ uuid: req.ctx.uuid, message: 'User DNE' })
+            await session.abortTransaction(); await session.endSession()
+            return res.status(404).json(error.userDne(username))
+          }
+        }
+      }
+
       // check if the user is not the requester or if the requester is not a secretariat
       if ((orgShortName !== requesterShortName || username !== requesterUsername) && !isSecretariat) {
       // check if the requester is not and admin; if admin, the requester must be from the same org as the user