fix(organizations): enabled access for org affiliates to org update e…

…ndpoint
jobstash · Nov 8, 2024 · e86d9c3 · e86d9c3
1 parent 5fe22fa
commit e86d9c3
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/src/organizations/organizations.controller.ts b/src/organizations/organizations.controller.ts
@@ -540,7 +540,10 @@ export class OrganizationsController {
 
   @Post("/update/:id")
   @UseGuards(PBACGuard)
-  @Permissions(CheckWalletPermissions.ADMIN, CheckWalletPermissions.ORG_MANAGER)
+  @Permissions(
+    [CheckWalletPermissions.USER, CheckWalletPermissions.ORG_AFFILIATE],
+    [CheckWalletPermissions.ADMIN, CheckWalletPermissions.ORG_MANAGER],
+  )
   @ApiOkResponse({
     description: "Updates an existing organization",
     schema: responseSchemaWrapper({
@@ -553,7 +556,7 @@ export class OrganizationsController {
     schema: responseSchemaWrapper({ type: "string" }),
   })
   async updateOrganization(
-    @Session() { address }: SessionObject,
+    @Session() { address, permissions }: SessionObject,
     @Param("id") id: string,
     @Body() body: UpdateOrganizationInput,
   ): Promise<ResponseWithOptionalData<Organization>> {
@@ -563,6 +566,19 @@ export class OrganizationsController {
       )} from ${address}`,
     );
 
+    if (permissions.includes(CheckWalletPermissions.ORG_AFFILIATE)) {
+      const authorized = await this.userService.userAuthorizedForOrg(
+        address,
+        id,
+      );
+      if (!authorized) {
+        throw new ForbiddenException({
+          success: false,
+          message: "You are not authorized to access this resource",
+        });
+      }
+    }
+
     try {
       const org = await this.organizationsService.findByOrgId(id);