CVEProject · david-rocca · Dec 17, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 11, 2025
diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
@@ -44,8 +44,8 @@ async function optionallyValidateUser (req, res, next) {
   const org = req.ctx.org
   const user = req.ctx.user
   const key = req.ctx.key
-  const userRepo = req.ctx.repositories.getUserRepository()
-  const orgRepo = req.ctx.repositories.getOrgRepository()
+  const userRepo = req.ctx.repositories.getBaseUserRepository()
+  const orgRepo = req.ctx.repositories.getBaseOrgRepository()
   let authenticated = true
 
   try {
@@ -127,7 +127,7 @@ async function validateUser (req, res, next) {
       return res.status(401).json(error.unauthorized())
     }
 
-    const result = await userRepo.findOneByUsernameAndOrgUUID(user, orgUUID)
+    const result = await userRepo.findOneByUserNameAndOrgUUID(user, orgUUID)
     if (!result) {
       logger.warn(JSON.stringify({ uuid: req.ctx.uuid, message: 'User not found. User authentication FAILED for ' + user }))
       return res.status(401).json(error.unauthorized())
@@ -176,24 +176,6 @@ async function onlySecretariatOrBulkDownload (req, res, next) {
   }
 }
 
-async function onlySecretariatUserRegistry (req, res, next) {
-  const org = req.ctx.org
-  const registryOrgRepo = req.ctx.repositories.getRegistryOrgRepository()
-  const CONSTANTS = getConstants()
-
-  try {
-    const isSec = await registryOrgRepo.isSecretariat(org)
-    if (!isSec) {
-      logger.info({ uuid: req.ctx.uuid, message: org + ' is NOT a ' + CONSTANTS.AUTH_ROLE_ENUM.SECRETARIAT })
-      return res.status(403).json(error.secretariatOnly())
-    }
-    logger.info({ uuid: req.ctx.uuid, message: 'Confirmed ' + org + 'as a Secretariat' })
-    next()
-  } catch (err) {
-    next(err)
-  }
-}
-
 // Checks that the requester belongs to an org that has the 'SECRETARIAT' role
 
 async function onlySecretariat (req, res, next) {
@@ -577,7 +559,6 @@ module.exports = {
   onlySecretariat,
   onlySecretariatOrBulkDownload,
   onlySecretariatOrAdmin,
-  onlySecretariatUserRegistry,
   onlyCnas,
   onlyAdps,
   onlyOrgWithPartnerRole,

diff --git a/src/repositories/baseUserRepository.js b/src/repositories/baseUserRepository.js
@@ -98,7 +98,7 @@ class BaseUserRepository extends BaseRepository {
     return user || null
   }
 
-  async findOneByUsernameAndOrgUUID (username, orgUUID, options = {}, isLegacyObject = false) {
+  async findOneByUserNameAndOrgUUID (username, orgUUID, options = {}, isLegacyObject = false) {
     const legacyUserRepo = new UserRepository()
     const users = await BaseUser.find({ username: username }, null, options)
     if (!users || users.length === 0) {

diff --git a/src/utils/utils.js b/src/utils/utils.js
@@ -43,7 +43,7 @@ async function getUserUUID (userIdentifier, orgUUID, useRegistry = false, option
     return userDocument ? userDocument.UUID : null
   } else {
     const baseUserRepository = new BaseUserRepository()
-    const userDocument = await baseUserRepository.findOneByUsernameAndOrgUUID(userIdentifier, orgUUID, options)
+    const userDocument = await baseUserRepository.findOneByUserNameAndOrgUUID(userIdentifier, orgUUID, options)
     return userDocument ? userDocument.UUID : null
   }
 }
@@ -113,7 +113,7 @@ async function isAdmin (requesterUsername, requesterShortName, isRegistry = fals
 
   const baseUserRepository = new BaseUserRepository()
   if (requesterOrgUUID) {
-    const user = isRegistry ? await baseUserRepository.findOneByUsernameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
+    const user = isRegistry ? await baseUserRepository.findOneByUserNameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
 
     if (user) {
       if (isRegistry) {
@@ -135,7 +135,7 @@ async function isAdminUUID (requesterUsername, requesterOrgUUID, isRegistry = fa
   const baseOrgRepository = new BaseOrgRepository()
   if (requesterOrgUUID) {
     const orgObject = await baseOrgRepository.findOneByUUID(requesterOrgUUID, options)
-    const user = isRegistry ? await baseUserRepository.findOneByUsernameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
+    const user = isRegistry ? await baseUserRepository.findOneByUserNameAndOrgUUID(requesterUsername, requesterOrgUUID) : await User.findOne().byUserNameAndOrgUUID(requesterUsername, requesterOrgUUID)
 
     if (user && orgObject) {
       if (isRegistry) {

diff --git a/test/unit-tests/middleware/validateUserTest.js b/test/unit-tests/middleware/validateUserTest.js
@@ -28,10 +28,6 @@ class UserValidateUserSuccess {
   async findOneByUserNameAndOrgUUID () {
     return mwFixtures.existentUser
   }
-
-  async findOneByUsernameAndOrgUUID () {
-    return mwFixtures.existentUser
-  }
 }
 
 class NullOrgRepo {
@@ -188,10 +184,6 @@ describe('Testing the user validation middleware', () => {
         async findOneByUserNameAndOrgUUID () {
           return mwFixtures.deactivatedUser
         }
-
-        async findOneByUsernameAndOrgUUID () {
-          return mwFixtures.deactivatedUser
-        }
       }
 
       app.route('/validate-user-deactivated')