Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #534 from CVEProject/hotfix/restrict_org_change
Keep Org Admins from changing user's org.
  • Loading branch information
mattrbianchi committed Dec 9, 2021
2 parents 7bd7989 + d1b44b5 commit 5c50baf
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/controller/org.controller/error.js
Expand Up @@ -22,6 +22,13 @@ class OrgControllerError extends idrErr.IDRError {
return err
}

notAllowedToChangeOrganization () {
const err = {}
err.error = 'NOT_ALLOWED_TO_CHANGE_ORGANIZATION'
err.message = 'Only the Secretariat can change the organization for a user.'
return err
}

orgExists (shortname) { // org
const err = {}
err.error = 'ORG_EXISTS'
Expand Down
4 changes: 4 additions & 0 deletions src/controller/org.controller/org.controller.js
Expand Up @@ -501,6 +501,10 @@ async function updateUser (req, res, next) {
} else if (key === 'org_shortname') {
newOrgShortName = req.ctx.query.org_shortname
changesRequirePrivilegedRole = true
if (!isSecretariat) {
logger.info({ uuid: req.ctx.uuid, message: 'The user could not be updated because ' + requesterUsername + ' is an Org Admin and tried to reassign the organization.' })
return res.status(403).json(error.notAllowedToChangeOrganization())
}
} else if (key === 'name.first') {
newUser.name.first = req.ctx.query['name.first']
} else if (key === 'name.last') {
Expand Down
48 changes: 48 additions & 0 deletions test/unit-tests/user/userUpdateTest.js
Expand Up @@ -277,6 +277,54 @@ describe('Testing the PUT /org/:shortname/user/:username endpoint in Org Control
})
})

it('User is not updated because Org Admin is trying to change organization', (done) => {
class Org {
async getOrgUUID () {
return userFixtures.existentOrg.UUID
}

async isSecretariat () {
return false
}
}

class User {
async findOneByUserNameAndOrgUUID () {
return userFixtures.existentUser
}

async isAdmin () {
return true
}
}

app.route('/user-not-updated-admin-changing-org/:shortname/:username')
.put((req, res, next) => {
const factory = {
getOrgRepository: () => { return new Org() },
getUserRepository: () => { return new User() }
}
req.ctx.repositories = factory
next()
}, orgParams.parsePostParams, orgController.USER_UPDATE_SINGLE)

chai.request(app)
.put(`/user-not-updated-admin-changing-org/${userFixtures.existentOrgDummy.short_name}/${userFixtures.userA.username}?org_shortname=${userFixtures.existentOrgDummy.short_name}`)
.set(userFixtures.userDHeader)
.end((err, res) => {
if (err) {
done(err)
}

expect(res).to.have.status(403)
expect(res).to.have.property('body').and.to.be.a('object')
const errObj = error.notAllowedToChangeOrganization()
expect(res.body.error).to.equal(errObj.error)
expect(res.body.message).to.equal(errObj.message)
done()
})
})

it('User is not updated because requestor is Org Admin of different organization', (done) => {
class Org {
async getOrgUUID () {
Expand Down

0 comments on commit 5c50baf

Please sign in to comment.