From e0f313c9fb120ee3b6ead9acd62544966b3b7bf7 Mon Sep 17 00:00:00 2001 From: Kyle Jackson Date: Wed, 9 Mar 2022 21:58:35 +1000 Subject: [PATCH 1/3] Updated resetSecret functionality --- src/controller/org.controller/org.controller.js | 8 +++++++- test/unit-tests/user/userResetSecretTest.js | 6 +++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index b025cda0d..0021a1672 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -636,19 +636,25 @@ async function resetSecret (req, res, next) { const orgShortName = req.ctx.params.shortname const userRepo = req.ctx.repositories.getUserRepository() const orgRepo = req.ctx.repositories.getOrgRepository() + const isSecretariat = await orgRepo.isSecretariat(requesterShortName) const orgUUID = await orgRepo.getOrgUUID(orgShortName) // userUUID may be null if user does not exist if (!orgUUID) { logger.info({ uuid: req.ctx.uuid, messsage: orgShortName + ' organization does not exist.' }) return res.status(404).json(error.orgDneParam(orgShortName)) } + if (orgShortName !== requesterShortName && !isSecretariat) { + logger.info({ uuid: req.ctx.uuid, message: orgShortName + ' organization can only be viewed by the users of the same organization or the Secretariat.' }) + return res.status(403).json(error.notSameOrgOrSecretariat()) + } + const oldUser = await userRepo.findOneByUserNameAndOrgUUID(username, orgUUID) if (!oldUser) { logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' }) + console.log('test') return res.status(404).json(error.userDne(username)) } - const isSecretariat = await orgRepo.isSecretariat(requesterShortName) const isAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName) // check if the user is not the requester or if the requester is not a secretariat if ((orgShortName !== requesterShortName || username !== requesterUsername) && !isSecretariat) { diff --git a/test/unit-tests/user/userResetSecretTest.js b/test/unit-tests/user/userResetSecretTest.js index cc660b952..54883d931 100644 --- a/test/unit-tests/user/userResetSecretTest.js +++ b/test/unit-tests/user/userResetSecretTest.js @@ -273,7 +273,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i expect(res).to.have.status(403) expect(res).to.have.property('body').and.to.be.a('object') - const errObj = error.notSameUserOrSecretariat() + const errObj = error.notSameOrgOrSecretariat() expect(res.body.error).to.equal(errObj.error) expect(res.body.message).to.equal(errObj.message) done() @@ -302,7 +302,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i expect(res).to.have.status(403) expect(res).to.have.property('body').and.to.be.a('object') - const errObj = error.notSameUserOrSecretariat() + const errObj = error.notSameOrgOrSecretariat() expect(res.body.error).to.equal(errObj.error) expect(res.body.message).to.equal(errObj.message) done() @@ -331,7 +331,7 @@ describe('Testing the PUT /org/:shortname/user/:username/reset_secret endpoint i expect(res).to.have.status(403) expect(res).to.have.property('body').and.to.be.a('object') - const errObj = error.notSameUserOrSecretariat() + const errObj = error.notSameOrgOrSecretariat() expect(res.body.error).to.equal(errObj.error) expect(res.body.message).to.equal(errObj.message) done() From b9ba941f80cb8fb42fabb66a7e17705a1c2c5c5c Mon Sep 17 00:00:00 2001 From: Kyle Jackson Date: Wed, 9 Mar 2022 22:22:16 +1000 Subject: [PATCH 2/3] Fixed black box tests --- test-http/src/test/org_user_tests/org_as_org_admin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test-http/src/test/org_user_tests/org_as_org_admin.py b/test-http/src/test/org_user_tests/org_as_org_admin.py index 32279584c..a40058fd0 100644 --- a/test-http/src/test/org_user_tests/org_as_org_admin.py +++ b/test-http/src/test/org_user_tests/org_as_org_admin.py @@ -455,7 +455,7 @@ def test_org_admin_reset_diff_org_secret(org_admin_headers): headers=org_admin_headers ) assert res.status_code == 403 - response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT') + response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT') def test_org_admin_reset_same_org_secret(org_admin_headers): From dc73a7aee2d69ef70be5c597b5dbbec907f52671 Mon Sep 17 00:00:00 2001 From: Kyle Jackson Date: Mon, 14 Mar 2022 16:55:15 +1000 Subject: [PATCH 3/3] Removed test log --- src/controller/org.controller/org.controller.js | 1 - 1 file changed, 1 deletion(-) diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index 0021a1672..9f7bb8845 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -651,7 +651,6 @@ async function resetSecret (req, res, next) { const oldUser = await userRepo.findOneByUserNameAndOrgUUID(username, orgUUID) if (!oldUser) { logger.info({ uuid: req.ctx.uuid, messsage: username + ' user does not exist.' }) - console.log('test') return res.status(404).json(error.userDne(username)) }