From f2d481bd33f291558c18b749624bd1f16a368770 Mon Sep 17 00:00:00 2001
From: Andrew <afoote@mitre.org>
Date: Mon, 11 May 2026 13:50:38 -0400
Subject: [PATCH] Fixed authenticate vs authorize ordering on routes in the
 Registry Org and Audit controllers

---
 src/controller/audit.controller/index.js        | 2 +-
 src/controller/registry-org.controller/index.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/controller/audit.controller/index.js b/src/controller/audit.controller/index.js
index 07930c35c..4a95b181c 100644
--- a/src/controller/audit.controller/index.js
+++ b/src/controller/audit.controller/index.js
@@ -36,8 +36,8 @@ router.get('/audit/org/:org_identifier',
 
 // Get last X changes (Secretariat or Org Admin)
 router.get('/audit/org/:org_identifier/:number_of_changes',
-  mw.onlySecretariat,
   mw.validateUser,
+  mw.onlySecretariat,
   auditMw.parseGetParams,
   controller.AUDIT_GET_LAST
 )
diff --git a/src/controller/registry-org.controller/index.js b/src/controller/registry-org.controller/index.js
index 997a8e771..c24148d6a 100644
--- a/src/controller/registry-org.controller/index.js
+++ b/src/controller/registry-org.controller/index.js
@@ -212,8 +212,8 @@ router.post('/registryOrg',
   }
   */
   mw.useRegistry(),
-  mw.onlySecretariat,
   mw.validateUser,
+  mw.onlySecretariat,
   body(['reports_to']).not().exists().withMessage('reports_to must not be present'),
   parseError,
   parsePostParams,