demorgans law strikes again

Author: david-rocca

src/controller/org.controller/org.controller.js

@@ -932,10 +932,12 @@ async function updateUser (req, res, next) {
     }
 
     // General permission check for fields requiring admin/secretariat
-    if ((queryParameters.new_username || queryParameters['active_roles.remove'] || queryParameters['active_roles.add']) && (!isRequesterSecretariat || !isAdmin)) {
-      logger.info({ uuid: req.ctx.uuid, message: `User ${requesterUsername} (not Admin/Secretariat) trying to modify admin-only fields.` })
-      await session.abortTransaction(); await session.endSession()
-      return res.status(403).json(error.notOrgAdminOrSecretariatUpdate())
+    if ((queryParameters.new_username || queryParameters['active_roles.remove'] || queryParameters['active_roles.add'])) {
+      if (!isRequesterSecretariat && !isAdmin) {
+        logger.info({ uuid: req.ctx.uuid, message: `User ${requesterUsername} (not Admin/Secretariat) trying to modify admin-only fields.` })
+        await session.abortTransaction(); await session.endSession()
+        return res.status(403).json(error.notOrgAdminOrSecretariatUpdate())
+      }
     }
 
     // handlers