Merge pull request #1811 from CVEProject/dr_1699

david-rocca · web-flow · commit b6ba5c7b80c5 · 2026-05-21T13:03:26.000-04:00
Resolves issue #1699, Fix registry user lookups by user UUID.
diff --git a/src/controller/registry-user.controller/registry-user.controller.js b/src/controller/registry-user.controller/registry-user.controller.js
@@ -103,21 +103,40 @@ async function getUser (req, res, next) {
   const isSecretariat = await repo.isSecretariatByShortName(req.ctx.org)
 
   try {
-    const result = identifier
-      ? await userRepo.getUserUUID(identifier)
-      : await userRepo.findOneByUsernameAndOrgShortname(userToGetParameters.username, userToGetParameters.org)
+    let result
+    let org
+
+    if (identifier) {
+      result = await userRepo.findUserByUUID(identifier)
+      if (!result) {
+        logger.info({ uuid: req.ctx.uuid, message: identifier + ' user could not be found.' })
+        return res.status(404).json(error.userDne(identifier))
+      }
+
+      const orgUUID = await repo.getOrgUUIDByUserUUID(identifier)
+      if (!orgUUID) {
+        logger.info({ uuid: req.ctx.uuid, message: identifier + ' user organization could not be found.' })
+        return res.status(404).json(error.userDne(identifier))
+      }
 
-    const org = identifier
-      ? await repo.getOrg(identifier, true)
-      : await repo.getOrg(req.ctx.params.shortname)
+      org = await repo.getOrg(orgUUID, true)
 
-    if (!result) {
-      logger.info({ uuid: req.ctx.uuid, message: identifier || userToGetParameters.username + 'user could not be found.' })
-      return res.status(404).json(error.userDne(userToGetParameters.username))
-    }
-    userToGetParameters = {
-      org: org.short_name,
-      username: result.username
+      userToGetParameters = {
+        org: org.short_name,
+        username: result.username
+      }
+    } else {
+      result = await userRepo.findOneByUsernameAndOrgShortname(userToGetParameters.username, userToGetParameters.org)
+      if (!result) {
+        logger.info({ uuid: req.ctx.uuid, message: userToGetParameters.username + ' user could not be found.' })
+        return res.status(404).json(error.userDne(userToGetParameters.username))
+      }
+
+      org = await repo.getOrg(req.ctx.params.shortname)
+      userToGetParameters = {
+        org: org.short_name,
+        username: result.username
+      }
     }
 
     if (!isSecretariat && req.ctx.org !== userToGetParameters.org) {
@@ -249,14 +268,31 @@ async function updateUser (req, res, next) {
   // TODO: This will need to be atomic at some point like revoke or grant
   // Specific check for org_short_name (Secretariat only)
 
-  const userToEdit = identifier
-    ? await userRepo.getUserUUID(identifier)
-    : await userRepo.findOneByUsernameAndOrgShortname(userToEditParameters.username, userToEditParameters.org, { session })
+  let userToEdit
+  let org
+  if (identifier) {
+    userToEdit = await userRepo.findUserByUUID(identifier, { session })
+    if (!userToEdit) {
+      logger.info({ uuid: req.ctx.uuid, message: identifier + ' user could not be found.' })
+      return res.status(404).json(error.userDne(identifier))
+    }
 
-  const org = await orgRepo.findOneByShortName(userToEditParameters.org)
-  if (!org) {
-    logger.info({ uuid: req.ctx.uuid, message: `Target organization ${userToEditParameters.org} does not exist.` })
-    return res.status(404).json(error.orgDnePathParam(userToEditParameters.org))
+    const orgUUID = await orgRepo.getOrgUUIDByUserUUID(identifier)
+    if (!orgUUID) {
+      logger.info({ uuid: req.ctx.uuid, message: identifier + ' user organization could not be found.' })
+      return res.status(404).json(error.orgDnePathParam(identifier))
+    }
+
+    org = await orgRepo.findOneByUUID(orgUUID, { session })
+    userToEditParameters.org = org.short_name
+    userToEditParameters.username = userToEdit.username
+  } else {
+    userToEdit = await userRepo.findOneByUsernameAndOrgShortname(userToEditParameters.username, userToEditParameters.org, { session })
+    org = await orgRepo.findOneByShortName(userToEditParameters.org)
+    if (!org) {
+      logger.info({ uuid: req.ctx.uuid, message: `Target organization ${userToEditParameters.org} does not exist.` })
+      return res.status(404).json(error.orgDnePathParam(userToEditParameters.org))
+    }
   }
 
   if (body.org_short_name && !isSecretariat) {
diff --git a/src/repositories/baseOrgRepository.js b/src/repositories/baseOrgRepository.js
@@ -188,6 +188,21 @@ class BaseOrgRepository extends BaseRepository {
     return null
   }
 
+  // Eventually, when a user can be in more than one org this will no longer be valid.
+  /**
+   * @async
+   * @function getOrgUUIDByUserUUID
+   * @description Retrieves the UUID of an organization by a user's UUID.
+   * @param {string} userUUID - The UUID of the user.
+   * @param {object} [options={}] - Optional settings for the repository query.
+   * @returns {Promise<string|null>} The organization UUID or null if not found.
+   */
+  async getOrgUUIDByUserUUID (userUUID, options = {}) {
+    const org = await BaseOrgModel.findOne({ users: userUUID }, null, options).select('UUID')
+    if (org) return org.UUID
+    return null
+  }
+
   /**
    * @async
    * @function orgExists
