I've got a secret, that I have been hiding, under my skin

david-rocca · david-rocca · commit 26cca6ec3be5 · 2025-06-09T20:32:09.000-04:00
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -906,7 +906,7 @@ async function updateUser (req, res, next) {
     if (shortNameParams !== requesterShortName && !isRequesterSecretariat) {
       logger.info({ uuid: req.ctx.uuid, message: `${shortNameParams} organization data can only be modified by users of the same organization or the Secretariat.` })
       await session.abortTransaction(); await session.endSession()
-      return res.status(403).json(error.notSameOrgOrSecretariat())
+      return res.status(403).json(error.notSameUserOrSecretariat())
     }
 
     const userLeg = await userLegRepo.findOneByUserNameAndOrgUUID(usernameParams, targetOrgLegUUID, null, { session })
@@ -1286,8 +1286,8 @@ async function resetSecret (req, res, next) {
         return res.status(404).json(error.userDne(username))
       }
 
-      const isLegAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName, { session })
-      const isRegAdmin = await userRegistryRepo.isAdmin(requesterUsername, orgRegUUID, { session })
+      const isLegAdmin = await userRepo.isAdmin(requesterUsername, requesterShortName, false, { session })
+      const isRegAdmin = await userRegistryRepo.isAdmin(requesterUsername, requesterShortName, true, { session })
       const isAdmin = isLegAdmin && isRegAdmin
 
       // check if the user is not the requester or if the requester is not a secretariat
