|
// Check if user has permissions to edit conversation |
|
const isSecretariat = await orgRepo.isSecretariatByShortName(req.ctx.org, { session }) |
|
const userUUID = await userRepo.getUserUUID(requesterUsername, req.ctx.org, { session }) |
|
if (conversation.author_id !== userUUID && !isSecretariat) { |
|
logger.info({ uuid: req.ctx.uuid, message: 'The user does not have permission to edit this conversation.' }) |
|
return res.status(403).json(error.notAllowedToEditConversation()) |
conversation.author_id === userUUID can be true even if the user has been moved to a different organization. Thus, for example, a disgruntled former employee can vandalize everything they posted while working for their former company.
Also, the user might be in their original organization but demoted, i.e., no longer an admin. The current design does not allow conversation data to be originally entered by a non-admin non-Secretariat user (i.e., someone who can't use PUT /registry/org/:shortname). However, such a user can make edits to anything they wrote while they were an admin. This might be desirable but would need to be documented as part of the security policy of the application.
cve-services/src/controller/registry-org.controller/registry-org.controller.js
Lines 640 to 645 in 791d31f
conversation.author_id === userUUIDcan be true even if the user has been moved to a different organization. Thus, for example, a disgruntled former employee can vandalize everything they posted while working for their former company.Also, the user might be in their original organization but demoted, i.e., no longer an admin. The current design does not allow conversation data to be originally entered by a non-admin non-Secretariat user (i.e., someone who can't use
PUT /registry/org/:shortname). However, such a user can make edits to anything they wrote while they were an admin. This might be desirable but would need to be documented as part of the security policy of the application.