Merge pull request #1602 from CVEProject/dr_cleanup_jan

Various cleanup items

Author: david-rocca

src/controller/org.controller/org.controller.js

@@ -122,7 +122,7 @@ async function getUsers (req, res, next) {
       return res.status(403).json(error.notSameOrgOrSecretariat())
     }
 
-    const payload = await userRepo.getAllUsersByOrgShortname(orgShortName, options, !req.useRegistry)
+    const payload = await userRepo.getAllUsersByOrgShortname(orgShortName, options, !!req.useRegistry)
 
     logger.info({ uuid: req.ctx.uuid, message: `The users of ${orgShortName} organization were sent to the user.` })
     return res.status(200).json(payload)
@@ -157,7 +157,7 @@ async function getUser (req, res, next) {
 
     const userRepo = req.ctx.repositories.getBaseUserRepository()
     // This is simple, we can just call our function
-    const result = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName, {}, !req.useRegistry)
+    const result = await userRepo.findOneByUsernameAndOrgShortname(username, orgShortName, {}, !!req.useRegistry)
 
     if (!result) {
       logger.info({ uuid: req.ctx.uuid, message: username + ' does not exist.' })
@@ -249,7 +249,6 @@ async function createOrg (req, res, next) {
       }
 
       // Check to see if the org already exits
-      // Org exists funciton checks if we should "return the legacy format" NOT "IS IT" a legacy format. TODO: Fix that.
       if (await repo.orgExists(body?.short_name, { session }, !req.useRegistry)) {
         logger.info({ uuid: req.ctx.uuid, message: body?.short_name + ' organization was not created because it already exists.' })
         await session.abortTransaction()
@@ -413,13 +412,13 @@ async function createUser (req, res, next) {
       }
 
       // Ask repo if user already exists
-      if (await userRepo.orgHasUser(orgShortName, body?.username, { session }, !req.useRegistry)) {
+      if (await userRepo.orgHasUser(orgShortName, body?.username, { session }, !!req.useRegistry)) {
         logger.info({ uuid: req.ctx.uuid, message: `${body?.username} user was not created because it already exists.` })
         await session.abortTransaction()
         return res.status(400).json(error.userExists(body?.username))
       }
 
-      if (!await userRepo.isAdminOrSecretariat(orgShortName, req.ctx.user, req.ctx.org, { session }, !req.useRegistry)) {
+      if (!await userRepo.isAdminOrSecretariat(orgShortName, req.ctx.user, req.ctx.org, { session }, !!req.useRegistry)) {
         await session.abortTransaction()
         return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
       }
@@ -430,7 +429,7 @@ async function createUser (req, res, next) {
         return res.status(400).json(error.userLimitReached())
       }
 
-      returnValue = await userRepo.createUser(orgShortName, body, { session, upsert: true }, !req.useRegistry)
+      returnValue = await userRepo.createUser(orgShortName, body, { session, upsert: true }, !!req.useRegistry)
       await session.commitTransaction()
     } catch (error) {
       await session.abortTransaction()
@@ -482,8 +481,8 @@ async function updateUser (req, res, next) {
     const queryParametersJson = req.ctx.query
 
     // Get requester UUID for later
-    const requesterUUID = await userRepo.getUserUUID(requesterUsername, requesterShortName, { session }, !req.useRegistry)
-    const targetUserUUID = await userRepo.getUserUUID(usernameParams, shortNameParams, { session }, !req.useRegistry)
+    const requesterUUID = await userRepo.getUserUUID(requesterUsername, requesterShortName, { session }, !!req.useRegistry)
+    const targetUserUUID = await userRepo.getUserUUID(usernameParams, shortNameParams, { session }, !!req.useRegistry)
 
     const isRequesterSecretariat = await orgRepo.isSecretariatByShortName(requesterShortName, { session })
     const isAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName, { session })
@@ -600,7 +599,7 @@ async function updateUser (req, res, next) {
       }
     }
 
-    const payload = await userRepo.updateUser(usernameParams, shortNameParams, queryParametersJson, { session }, !req.useRegistry)
+    const payload = await userRepo.updateUser(usernameParams, shortNameParams, queryParametersJson, { session }, !!req.useRegistry)
     await session.commitTransaction()
     return res.status(200).json({ message: `${usernameParams} was successfully updated.`, updated: payload })
   } catch (err) {
@@ -646,14 +645,14 @@ async function resetSecret (req, res, next) {
       }
 
       // Check if target user exists in target org
-      const targetUserUUID = await userRepo.getUserUUID(targetUsername, targetOrgShortName, { session }, !req.useRegistry)
+      const targetUserUUID = await userRepo.getUserUUID(targetUsername, targetOrgShortName, { session }, !!req.useRegistry)
       if (!targetUserUUID) {
         logger.info({ uuid: req.ctx.uuid, message: 'User DNE' })
         await session.abortTransaction()
         return res.status(404).json(error.userDne(targetUsername))
       }
 
-      const requesterUserUUID = await userRepo.getUserUUID(requesterUsername, requesterOrgShortName, { session }, !req.useRegistry)
+      const requesterUserUUID = await userRepo.getUserUUID(requesterUsername, requesterOrgShortName, { session }, !!req.useRegistry)
 
       const isRequesterSecretariat = await orgRepo.isSecretariatByShortName(requesterOrgShortName, { session })
 
@@ -679,7 +678,7 @@ async function resetSecret (req, res, next) {
         }
       }
 
-      const updatedSecret = await userRepo.resetSecret(targetUsername, targetOrgShortName, { session }, !req.useRegistry)
+      const updatedSecret = await userRepo.resetSecret(targetUsername, targetOrgShortName, { session }, !!req.useRegistry)
 
       logger.info({ uuid: req.ctx.uuid, message: `The API secret was successfully reset and sent to ${targetUsername}` })
       const payload = {

src/controller/org.controller/org.middleware.js

@@ -200,12 +200,10 @@ function validateUpdateOrgParameters () {
       query(['new_short_name']).optional().isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
       query(['active_roles.add']).optional().toArray()
         .custom(isFlatStringArray)
-        .customSanitizer(toUpperCaseArray)
-        .custom(isOrgRole).withMessage(errorMsgs.ORG_ROLES),
+        .customSanitizer(toUpperCaseArray),
       query(['active_roles.remove']).optional().toArray()
         .custom(isFlatStringArray)
-        .customSanitizer(toUpperCaseArray)
-        .custom(isOrgRole).withMessage(errorMsgs.ORG_ROLES),
+        .customSanitizer(toUpperCaseArray),
       // Path parameter validation
       param(['shortname']).isString().trim().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH })]
     if (useRegistry) {

src/controller/registry-org.controller/registry-org.controller.js

@@ -234,6 +234,12 @@ async function updateOrg (req, res, next) {
       const requestingUser = await userRepo.findOneByUsernameAndOrgShortname(req.ctx.user, req.ctx.org, { session })
       const org = await repo.findOneByShortName(shortName)
 
+      if (!isSecretariat && (!isAdmin || shortName !== req.ctx.org)) {
+        logger.info({ uuid: req.ctx.uuid, message: shortName + ' organization can only be updated by the users of the same organization or the Secretariat.' })
+        await session.abortTransaction()
+        return res.status(403).json(error.notSameOrgOrSecretariat())
+      }
+
       // Edge Case: if a user has requested an org, but it is not approved yet, then we need to check to see if if there is a review org for the shortname request.
 
       if (!org) {
@@ -421,7 +427,7 @@ async function getUsers (req, res, next) {
       return res.status(403).json(error.notSameOrgOrSecretariat())
     }
 
-    const payload = await userRepo.getAllUsersByOrgShortname(orgShortName, options, true)
+    const payload = await userRepo.getAllUsersByOrgShortname(orgShortName, options, false)
 
     logger.info({ uuid: req.ctx.uuid, message: `The users of ${orgShortName} organization were sent to the user.` })
     return res.status(200).json(payload)
@@ -482,13 +488,13 @@ async function createUserByOrg (req, res, next) {
       }
 
       // Ask repo if user already exists
-      if (await userRepo.orgHasUser(orgShortName, body?.username, { session }, false)) {
+      if (await userRepo.orgHasUser(orgShortName, body?.username, { session }, true)) {
         logger.info({ uuid: req.ctx.uuid, message: `${body?.username} user was not created because it already exists.` })
         await session.abortTransaction()
         return res.status(400).json(error.userExists(body?.username))
       }
 
-      if (!await userRepo.isAdminOrSecretariat(orgShortName, req.ctx.user, req.ctx.org, { session }, false)) {
+      if (!await userRepo.isAdminOrSecretariat(orgShortName, req.ctx.user, req.ctx.org, { session }, true)) {
         await session.abortTransaction()
         return res.status(403).json(error.notOrgAdminOrSecretariat()) // The Admin user must belong to the new user's organization
       }
@@ -499,7 +505,7 @@ async function createUserByOrg (req, res, next) {
         return res.status(400).json(error.userLimitReached())
       }
 
-      returnValue = await userRepo.createUser(orgShortName, body, { session, upsert: true }, false)
+      returnValue = await userRepo.createUser(orgShortName, body, { session, upsert: true }, true)
       await session.commitTransaction()
     } catch (error) {
       await session.abortTransaction()

src/controller/user.controller/user.controller.js

@@ -26,7 +26,7 @@ async function getAllUsers (req, res, next) {
     options.page = req.ctx.query.page ? parseInt(req.ctx.query.page) : CONSTANTS.PAGINATOR_PAGE // if 'page' query parameter is not defined, set 'page' to the default page value
 
     try {
-      returnValue = await repo.getAllUsers(options, !req.useRegistry)
+      returnValue = await repo.getAllUsers(options, !!req.useRegistry)
     } finally {
       await session.endSession()
     }