Merge pull request #567 from wizedkyle/issue-564

Issue #564
CVEProject · Mar 21, 2022 · 340bdfb · 340bdfb
2 parents 6b085e4 + 0776f88
commit 340bdfb
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -636,19 +636,24 @@ async function resetSecret (req, res, next) {
     const orgShortName = req.ctx.params.shortname
     const userRepo = req.ctx.repositories.getUserRepository()
     const orgRepo = req.ctx.repositories.getOrgRepository()
+    const isSecretariat = await orgRepo.isSecretariat(requesterShortName)
     const orgUUID = await orgRepo.getOrgUUID(orgShortName) // userUUID may be null if user does not exist
     if (!orgUUID) {
       logger.info({ uuid: req.ctx.uuid, messsage: orgShortName + ' organization does not exist.' })
       return res.status(404).json(error.orgDneParam(orgShortName))
     }
 
+    if (orgShortName !== requesterShortName && !isSecretariat) {
+      logger.info({ uuid: req.ctx.uuid, message: orgShortName + ' organization can only be viewed by the users of the same organization or the Secretariat.' })
+      return res.status(403).json(error.notSameOrgOrSecretariat())
+    }
+
     const oldUser = await userRepo.findOneByUserNameAndOrgUUID(username, orgUUID)
     if (!oldUser) {
       logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' })
       return res.status(404).json(error.userDne(username))
     }
 
-    const isSecretariat = await orgRepo.isSecretariat(requesterShortName)
     const isAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName)
     // check if the user is not the requester or if the requester is not a secretariat
     if ((orgShortName !== requesterShortName || username !== requesterUsername) && !isSecretariat) {

diff --git a/test-http/src/test/org_user_tests/org_as_org_admin.py b/test-http/src/test/org_user_tests/org_as_org_admin.py
@@ -455,7 +455,7 @@ def test_org_admin_reset_diff_org_secret(org_admin_headers):
         headers=org_admin_headers
     )
     assert res.status_code == 403
-    response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
+    response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
 
 
 def test_org_admin_reset_same_org_secret(org_admin_headers):

diff --git a/test/unit-tests/user/userResetSecretTest.js b/test/unit-tests/user/userResetSecretTest.js
@@ -273,7 +273,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i
 
           expect(res).to.have.status(403)
           expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.notSameUserOrSecretariat()
+          const errObj = error.notSameOrgOrSecretariat()
           expect(res.body.error).to.equal(errObj.error)
           expect(res.body.message).to.equal(errObj.message)
           done()
@@ -302,7 +302,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i
 
           expect(res).to.have.status(403)
           expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.notSameUserOrSecretariat()
+          const errObj = error.notSameOrgOrSecretariat()
           expect(res.body.error).to.equal(errObj.error)
           expect(res.body.message).to.equal(errObj.message)
           done()
@@ -331,7 +331,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i
 
           expect(res).to.have.status(403)
           expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.notSameUserOrSecretariat()
+          const errObj = error.notSameOrgOrSecretariat()
           expect(res.body.error).to.equal(errObj.error)
           expect(res.body.message).to.equal(errObj.message)
           done()