From 403b3bf417cbad7f950e7860b0c4ee659b5c8284 Mon Sep 17 00:00:00 2001 From: jack-flores Date: Wed, 31 Jul 2024 15:53:52 -0400 Subject: [PATCH] #1258 now rejects non-sec requests with params --- .../org.controller/org.controller.js | 4 +++ src/middleware/middleware.js | 6 +++-- test/integration-tests/org/putOrgTest.js | 27 ++++++++++++++----- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js index 929c4853c..b4e1873f4 100644 --- a/src/controller/org.controller/org.controller.js +++ b/src/controller/org.controller/org.controller.js @@ -409,6 +409,10 @@ async function updateOrg (req, res, next) { result = await orgRepo.aggregate(agt) result = result.length > 0 ? result[0] : null + if (!isSec) { + result = { last_active: result.last_active } + } + const responseMessage = { message: shortName + ' organization was successfully updated.', updated: result diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js index 829a90d20..35e505103 100644 --- a/src/middleware/middleware.js +++ b/src/middleware/middleware.js @@ -146,9 +146,11 @@ async function validateOrg (req, res, next) { const isSec = await orgRepo.isSecretariat(org) if (!isSec) { - if (!(org === reqOrg)) { + if (org !== reqOrg) { logger.info({ uuid: req.ctx.uuid, message: org + ' is not a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT + ' or the same as ' + reqOrg + ' and is not allowed to make these changes.' }) - return res.status(401).json(error.unauthorized()) + return res.status(403).json(error.secretariatOnly()) + } else if (Object.keys(req.query).length > 0) { + return res.status(403).json(error.secretariatOnly()) } } diff --git a/test/integration-tests/org/putOrgTest.js b/test/integration-tests/org/putOrgTest.js index 0b47f8646..dec0a2b05 100644 --- a/test/integration-tests/org/putOrgTest.js +++ b/test/integration-tests/org/putOrgTest.js @@ -65,7 +65,6 @@ describe('Testing org put endpoint', () => { await chai.request(app) .put('/api/org/win_5') .set({ ...constants.nonSecretariatUserHeaders }) - .query(params) .send() .then((res, err) => { // Assert that that the last_active field was updated under 2 seconds ago @@ -75,8 +74,9 @@ describe('Testing org put endpoint', () => { expect(withinTwoSeconds).to.be.true // Assert no other fields were changed expect(res).to.have.status(200) - expect(res.body.updated.name).to.equal(cnaParams.name) - expect(res.body.updated.policies.id_quota).to.equal(cnaParams.id_quota) + expect(res.body.updated.active_roles).to.be.undefined + expect(res.body.updated.name).to.be.undefined + expect(res.body.updated.policies).to.be.undefined expect(err).to.be.undefined }) }) @@ -88,10 +88,23 @@ describe('Testing org put endpoint', () => { .set({ ...constants.nonSecretariatUserHeaders }) .send() .then((res, err) => { - expect(res).to.have.status(401) + expect(res).to.have.status(403) + expect(err).to.be.undefined + expect(res.body).to.haveOwnProperty('error') + expect(res.body.error).to.equal('SECRETARIAT_ONLY') + }) + }) + it('Fails update to fields made by a non-secretariat org to itself', async () => { + await chai.request(app) + .put('/api/org/win_5') + .set({ ...constants.nonSecretariatUserHeaders }) + .query(params) + .send() + .then((res, err) => { + expect(res).to.have.status(403) expect(err).to.be.undefined expect(res.body).to.haveOwnProperty('error') - expect(res.body.error).to.equal('UNAUTHORIZED') + expect(res.body.error).to.equal('SECRETARIAT_ONLY') }) }) it('Fails update made by a non-secretariat org to a secretariat', async () => { @@ -100,10 +113,10 @@ describe('Testing org put endpoint', () => { .set({ ...constants.nonSecretariatUserHeaders }) .send() .then((res, err) => { - expect(res).to.have.status(401) + expect(res).to.have.status(403) expect(err).to.be.undefined expect(res.body).to.haveOwnProperty('error') - expect(res.body.error).to.equal('UNAUTHORIZED') + expect(res.body.error).to.equal('SECRETARIAT_ONLY') }) }) })