Restrict Organization Creation/Request to Secretariat Only

[david-rocca]

Ticket: Restrict Organization Creation/Request to Secretariat Only

Description

Currently, authenticated users can request the creation of a new organization via POST /registryOrg. This triggers a "Review Org" workflow where a ReviewObject is created for the Secretariat to approve.
We need to remove this capability. Only the Secretariat should be able to create new organizations directly. The "Request New Organization" workflow for non-Secretariat users should be disabled.

Acceptance Criteria / TODOs

Backend Changes (src/controller/registry-org.controller/index.js)

• Update Route Middleware:
  • Add mw.onlySecretariat to the POST /registryOrg route definition.
  • Existing chain is: mw.useRegistry(), mw.validateUser, parseError, parsePostParams, controller.CREATE_ORG.
  • New chain should include mw.onlySecretariat after validation.

Backend Changes (src/controller/registry-org.controller/registry-org.controller.js)

• Simplify createOrg Controller:
  • Remove the logic that handles non-Secretariat requests (the else block that creates create_review_org payload).
  • Remove the check if (isSecretariat) since the middleware will guarantee it.
  • Ensure the function assumes authoritative creation (upserting/creating the Org directly).

Documentation Changes

• Update Swagger Comments:
  • Ensure POST /registryOrg clearly states "Secretariat Only".
  • Remove any "Expected Behavior" describing "User requests a new org".

Testing

• Integration Test:
  • Verify that a Secretariat user can create an organization.
  • Verify that a non-Secretariat user receives a 403 Forbidden when trying to POST to /registryOrg.