Users who are not admin or sec cant change stuff

david-rocca · david-rocca · commit d62d4e3c43b1 · 2025-06-09T20:54:19.000-04:00
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -797,7 +797,7 @@ async function createUser (req, res, next) {
     if (!isSecretariat && isAdmin) {
       if (requesterOrgUUID !== orgUUID) {
         await session.abortTransaction(); session.endSession()
-        return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
+        return res.status(403).json(error.notOrgAdminOrSecretariatUpdate()) // The Admin user must belong to the new user's organization
       }
     }
 
@@ -928,6 +928,15 @@ async function updateUser (req, res, next) {
     }
 
     const queryParameters = req.ctx.query
+
+    if (!isRequesterSecretariat && !isAdmin) {
+      if (targetUserUUID !== requesterUUID) {
+        logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
+        await session.abortTransaction(); await session.endSession()
+        return res.status(403).json(error.notSameUserOrSecretariatUpdate())
+      }
+    }
+
     // Specific check for org_short_name (Secretariat only)
     if (queryParameters.org_short_name && !isRequesterSecretariat) {
       logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
