Resolves Issue #1773, Additional Validation of User Authorization on Conversation Edits

[afoote-mitre]

Closes Issue #1773

Summary

Conversation edits didn't properly differentiate between a regular user and a Secretariat user, preventing Secretariat users from editing or moderating a conversation that they didn't author. We now check isSecretariat as part of the authorization evaluation, to allow them to edit/moderate as expected.

Additionally, users that were no longer part of an org but still had a valid token, could edit old conversations that they were previously a part of. We now check the org associated with the user's active session against the org that owns the conversation itself. If there is a mismatch, the user is not allowed to make edits.

Important Changes

src/controller/registry-org.controller/registry-org.controller.js

• Updated authorization to check for isSecretariat to ensure that Secretariat users can edit or moderate any conversation
• Updated authorization to compare the org associated with the user's active session, against the conversation owning org

Testing

Steps to manually test updated functionality, if possible

• 1) Run npm run test:integration and ensure all tests pass