#1258 now rejects non-sec requests with params

Author: jack-flores

src/controller/org.controller/org.controller.js

@@ -409,6 +409,10 @@ async function updateOrg (req, res, next) {
     result = await orgRepo.aggregate(agt)
     result = result.length > 0 ? result[0] : null
 
+    if (!isSec) {
+      result = { last_active: result.last_active }
+    }
+
     const responseMessage = {
       message: shortName + ' organization was successfully updated.',
       updated: result

src/middleware/middleware.js

@@ -146,9 +146,11 @@ async function validateOrg (req, res, next) {
 
     const isSec = await orgRepo.isSecretariat(org)
     if (!isSec) {
-      if (!(org === reqOrg)) {
+      if (org !== reqOrg) {
         logger.info({ uuid: req.ctx.uuid, message: org + ' is not a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT + ' or the same as ' + reqOrg + ' and is not allowed to make these changes.' })
-        return res.status(401).json(error.unauthorized())
+        return res.status(403).json(error.secretariatOnly())
+      } else if (Object.keys(req.query).length > 0) {
+        return res.status(403).json(error.secretariatOnly())
       }
     }
 

test/integration-tests/org/putOrgTest.js

@@ -65,7 +65,6 @@ describe('Testing org put endpoint', () => {
       await chai.request(app)
         .put('/api/org/win_5')
         .set({ ...constants.nonSecretariatUserHeaders })
-        .query(params)
         .send()
         .then((res, err) => {
           // Assert that that the last_active field was updated under 2 seconds ago
@@ -75,8 +74,9 @@ describe('Testing org put endpoint', () => {
           expect(withinTwoSeconds).to.be.true
           // Assert no other fields were changed
           expect(res).to.have.status(200)
-          expect(res.body.updated.name).to.equal(cnaParams.name)
-          expect(res.body.updated.policies.id_quota).to.equal(cnaParams.id_quota)
+          expect(res.body.updated.active_roles).to.be.undefined
+          expect(res.body.updated.name).to.be.undefined
+          expect(res.body.updated.policies).to.be.undefined
           expect(err).to.be.undefined
         })
     })
@@ -88,10 +88,23 @@ describe('Testing org put endpoint', () => {
         .set({ ...constants.nonSecretariatUserHeaders })
         .send()
         .then((res, err) => {
-          expect(res).to.have.status(401)
+          expect(res).to.have.status(403)
+          expect(err).to.be.undefined
+          expect(res.body).to.haveOwnProperty('error')
+          expect(res.body.error).to.equal('SECRETARIAT_ONLY')
+        })
+    })
+    it('Fails update to fields made by a non-secretariat org to itself', async () => {
+      await chai.request(app)
+        .put('/api/org/win_5')
+        .set({ ...constants.nonSecretariatUserHeaders })
+        .query(params)
+        .send()
+        .then((res, err) => {
+          expect(res).to.have.status(403)
           expect(err).to.be.undefined
           expect(res.body).to.haveOwnProperty('error')
-          expect(res.body.error).to.equal('UNAUTHORIZED')
+          expect(res.body.error).to.equal('SECRETARIAT_ONLY')
         })
     })
     it('Fails update made by a non-secretariat org to a secretariat', async () => {
@@ -100,10 +113,10 @@ describe('Testing org put endpoint', () => {
         .set({ ...constants.nonSecretariatUserHeaders })
         .send()
         .then((res, err) => {
-          expect(res).to.have.status(401)
+          expect(res).to.have.status(403)
           expect(err).to.be.undefined
           expect(res.body).to.haveOwnProperty('error')
-          expect(res.body.error).to.equal('UNAUTHORIZED')
+          expect(res.body.error).to.equal('SECRETARIAT_ONLY')
         })
     })
   })