conflicts

david-rocca · david-rocca · commit ddfedd4e1bbf · 2026-04-13T16:20:30.000-04:00
diff --git a/src/controller/registry-user.controller/registry-user.controller.js b/src/controller/registry-user.controller/registry-user.controller.js
@@ -258,6 +258,11 @@ async function updateUser (req, res, next) {
     return res.status(404).json(error.orgDnePathParam(userToEditParameters.org))
   }
 
+  if (body.org_short_name && !isSecretariat) {
+    logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
+    return res.status(403).json(error.notAllowedToChangeOrganization())
+  }
+
   if (body.org_short_name) {
     const targetOrg = await orgRepo.findOneByShortName(body.org_short_name)
     if (!targetOrg) {
@@ -266,11 +271,6 @@ async function updateUser (req, res, next) {
     }
   }
 
-  if (body.org_short_name && !isSecretariat) {
-    logger.info({ uuid: req.ctx.uuid, message: 'Only Secretariat can reassign user organization.' })
-    return res.status(403).json(error.notAllowedToChangeOrganization())
-  }
-
   if (body.org_short_name && isSecretariat && userToEditParameters.org === org.short_name && body.org_short_name === org.short_name) {
     logger.info({ uuid: req.ctx.uuid, message: `User ${userToEditParameters.username} is already in organization ${userToEditParameters.org}.` })
     return res.status(403).json(error.alreadyInOrg(org.short_name, userToEditParameters.username))
diff --git a/test/integration-tests/user/updateUserTest.js b/test/integration-tests/user/updateUserTest.js
@@ -205,5 +205,36 @@ describe('Testing Edit user endpoint', () => {
           expect(res.body.error).to.equal('SECRET_UPDATE_NOT_ALLOWED')
         })
     })
+    it('Should return 404 when target organization in path does not exist', async () => {
+      const user = constants.headers['CVE-API-USER']
+      await chai.request(app)
+        .put(`/api/registry/org/non_existent_org/user/${user}`)
+        .set(constants.headers)
+        .send({
+          name: {
+            first: 'NewFirst',
+            last: 'NewLast'
+          }
+        })
+        .then((res) => {
+          expect(res).to.have.status(404)
+          expect(res.body.error).to.contain('ORG_DNE_PARAM')
+        })
+    })
+
+    it('Should return 404 when target organization in body does not exist', async () => {
+      const user = constants.headers['CVE-API-USER']
+      const org = constants.headers['CVE-API-ORG']
+      await chai.request(app)
+        .put(`/api/registry/org/${org}/user/${user}`)
+        .set(constants.headers)
+        .send({
+          org_short_name: 'non_existent_org'
+        })
+        .then((res) => {
+          expect(res).to.have.status(404)
+          expect(res.body.error).to.contain('ORG_DNE_PARAM')
+        })
+    })
   })
 })
