Validate role field on user create

cberger8 · cberger8 · commit 588cc8d36eb7 · 2025-12-05T15:03:11.000-05:00
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -452,7 +452,7 @@ async function updateOrg (req, res, next) {
 /**
  *  Creates a user only if the org exists and
  * the user does not exist for the specified shortname and username
- * Called by POST /api/org/{shortname}/user
+ * Called by POST /api/registry/org/{shortname}/user, POST /api/org/{shortname}/user
  **/
 async function createUser (req, res, next) {
   const session = await mongoose.startSession()
@@ -461,6 +461,7 @@ async function createUser (req, res, next) {
     const userRepo = req.ctx.repositories.getBaseUserRepository()
     const orgRepo = req.ctx.repositories.getBaseOrgRepository()
     const orgShortName = req.ctx.params.shortname
+    const constants = getConstants()
     let returnValue
 
     // Check to make sure Org Exists first
@@ -486,6 +487,9 @@ async function createUser (req, res, next) {
         if (body?.role && typeof body?.role !== 'string') {
           return res.status(400).json({ message: 'Parameters were invalid', details: [{ param: 'role', msg: 'Parameter must be a string' }] })
         }
+        if (body?.role && !constants.USER_ROLES.includes(body?.role)) {
+          return res.status(400).json({ message: 'Parameters were invalid', details: [{ param: 'role', msg: `Role must be one of the following: ${constants.USER_ROLES}` }] })
+        }
         if (!result.isValid) {
           logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'User JSON schema validation FAILED.' }))
           await session.abortTransaction()
@@ -548,7 +552,7 @@ async function createUser (req, res, next) {
 /**
  *  Updates a user only if the user exist for the specified username.
  *  If no user exists, it does not create the user.
- *  Called by PUT /org/{shortname}/user/{username}
+ *  Called by PUT /org/{shortname}/user/{username}, PUT /org/{shortname}/user/{username}
  **/
 async function updateUser (req, res, next) {
   const session = await mongoose.startSession()
diff --git a/src/repositories/baseUserRepository.js b/src/repositories/baseUserRepository.js
@@ -241,6 +241,7 @@ class BaseUserRepository extends BaseRepository {
     delete rawRegistryUserJson._id
     delete rawRegistryUserJson.__v
     delete rawRegistryUserJson.authority
+    delete rawRegistryUserJson.role
     return deepRemoveEmpty(rawRegistryUserJson)
   }
 

Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,7 @@ class BaseUserRepository extends BaseRepository {`
`241`	`241`	`delete rawRegistryUserJson._id`
`242`	`242`	`delete rawRegistryUserJson.__v`
`243`	`243`	`delete rawRegistryUserJson.authority`
	`244`	`+ delete rawRegistryUserJson.role`
`244`	`245`	`return deepRemoveEmpty(rawRegistryUserJson)`
`245`	`246`	`}`
`246`	`247`