From 2bebd76e75044fe677885284d13924e662a617a3 Mon Sep 17 00:00:00 2001
From: Gareth Bowen <gareth@medic.org>
Date: Thu, 16 May 2024 10:48:42 +0200
Subject: [PATCH] fix(#9108): block updating admin only docs

---
 ddocs/medic-db/medic/validate_doc_update.js   |  2 +-
 .../mocha/unit/validate_doc_update.spec.js    | 42 ++++++++++++++++++-
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/ddocs/medic-db/medic/validate_doc_update.js b/ddocs/medic-db/medic/validate_doc_update.js
index 39aad49a3ec..72309bb9e99 100644
--- a/ddocs/medic-db/medic/validate_doc_update.js
+++ b/ddocs/medic-db/medic/validate_doc_update.js
@@ -74,7 +74,7 @@ function(newDoc, oldDoc, userCtx, secObj) {
       return;
     }
 
-    if (isAdminOnlyDoc(newDoc)) {
+    if (isAdminOnlyDoc(newDoc) || (oldDoc && isAdminOnlyDoc(oldDoc))) {
       _err('You are not authorized to edit admin only docs');
     }
 
diff --git a/webapp/tests/mocha/unit/validate_doc_update.spec.js b/webapp/tests/mocha/unit/validate_doc_update.spec.js
index 4a9bb803674..8f3a3185ed2 100644
--- a/webapp/tests/mocha/unit/validate_doc_update.spec.js
+++ b/webapp/tests/mocha/unit/validate_doc_update.spec.js
@@ -62,7 +62,8 @@ describe('validate doc update', () => {
     return forbidden(clientFn, msg, userCtx, newDoc, oldDoc, secObj);
   };
 
-  describe('only db and national admins are allowed to change...', () => {
+  describe('only db and national admins are allowed to create...', () => {
+    const adminCtx = userCtx({ roles: [ '_admin' ] });
     const nationalAdminCtx = userCtx({ roles: [ 'national_admin' ] });
     const testUserCtx = userCtx({ roles: [ 'test' ] });
     Object.entries({
@@ -76,13 +77,50 @@ describe('validate doc update', () => {
       'partners': { _id: 'partners' }
     }).forEach(([ name, doc ]) => {
       it(name, () => {
-        allowedOnServer(userCtx({ roles: [ '_admin' ] }), doc);
+        allowedOnServer(adminCtx, doc);
         forbiddenOnServer('You are not authorized to edit admin only docs', nationalAdminCtx, doc);
         forbiddenOnServer('You are not authorized to edit admin only docs', testUserCtx, doc);
       });
     });
   });
 
+  describe('only db and national admins are allowed to update...', () => {
+    const adminCtx = userCtx({ roles: [ '_admin' ] });
+    const testUserCtx = userCtx({ roles: [ 'test' ] });
+    [
+      {
+        name: 'forms',
+        oldDoc: { _id: 'a', type: 'form' },
+        newDoc: { _id: 'a', type: 'feedback' }
+      },
+      {
+        name: 'translations',
+        oldDoc: { _id: 'messages-en', type: 'translations' },
+        newDoc: { _id: 'messages-en', type: 'feedback' }
+      },
+      {
+        name: 'extension-libs',
+        oldDoc: { _id: 'extension-libs' },
+        newDoc: { _id: 'extension-libs', field: 'mine' }
+      },
+      {
+        name: 'branding',
+        oldDoc: { _id: 'branding' },
+        newDoc: { _id: 'branding', field: 'mine' }
+      },
+      {
+        name: 'partners',
+        oldDoc: { _id: 'partners' },
+        newDoc: { _id: 'partners', field: 'mine' }
+      },
+    ].forEach(({ name, oldDoc, newDoc }) => {
+      it(name, () => {
+        allowedOnServer(adminCtx, newDoc, oldDoc);
+        forbiddenOnServer('You are not authorized to edit admin only docs', testUserCtx, newDoc, oldDoc);
+      });
+    });
+  });
+
   it('only db admins are allowed change their own place', () => {
     const doc = { _id: 'abc', type: 'clinic' };
     const adminCtx = userCtx({ roles: [ '_admin' ], facility_id: 'abc' });