Maybe this check first?

david-rocca · david-rocca · commit 95eed3735bd6 · 2025-09-09T15:32:07.000-04:00
diff --git a/src/controller/org.controller/org.controller.js b/src/controller/org.controller/org.controller.js
@@ -724,15 +724,36 @@ async function resetSecret (req, res, next) {
 
       const isRequesterSecretariat = await orgRepo.isSecretariatByShortName(requesterOrgShortName, { session })
       // const isAdmin = await userRepo.isAdmin(requesterUsername, targetOrgShortName, { session })
-      if (!isRequesterSecretariat && (requesterOrgShortName !== targetOrgShortName)) {
+
+      // if (!isRequesterSecretariat && (requesterOrgShortName !== targetOrgShortName)) {
+      //   if (requesterOrgShortName !== targetOrgShortName) {
+      //     logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+      //     await session.abortTransaction()
+      //     return res.status(403).json(error.notSameOrgOrSecretariat())
+      //   } else if (requesterUserUUID !== targetUserUUID) {
+      //     logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+      //     await session.abortTransaction()
+      //     return res.status(403).json(error.notSameUserOrSecretariat())
+      //   }
+      //   logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+      //   await session.abortTransaction()
+      //   return res.status(403).json(error.notSameOrgOrSecretariat())
+      // }
+
+      if (!isRequesterSecretariat) {
+        // If not Secretariat, they must be in the same organization.
+        if (requesterOrgShortName !== targetOrgShortName) {
+          logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
+          await session.abortTransaction()
+          return res.status(403).json(error.notSameOrgOrSecretariat())
+        }
+
+        // If they are in the same organization, they must be the target user themselves.
         if (requesterUserUUID !== targetUserUUID) {
           logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
           await session.abortTransaction()
           return res.status(403).json(error.notSameUserOrSecretariat())
         }
-        logger.info({ uuid: req.ctx.uuid, message: 'The api secret can only be reset by the Secretariat, an Org admin or if the requester is the user.' })
-        await session.abortTransaction()
-        return res.status(403).json(error.notSameOrgOrSecretariat())
       }
       // Check if requester is either admin of target org or secretariat, or is same as target user
       const isAdminOrSecretariat = await userRepo.isAdminOrSecretariat(targetOrgShortName, requesterUsername, requesterOrgShortName, { session }, !req.useRegistry)
