Fixes a cross-admin conversation bug where users could post conversations to targets outside of their own organization.

[david-rocca]

Summary

This PR restricts conversation creation such that non-Secretariat users (such as Org Admins) can only post conversations directed to their own organization's UUID. If a non-Secretariat user attempts to target a UUID that does not match their org's UUID, the request is immediately rejected with a 403 Forbidden response.

Important Changes

src/controller/conversation.controller/conversation.controller.js

• Added verification logic in createConversationForTargetUUID for non-Secretariat users to ensure targetUUID matches the user's orgUUID.
• Returns a generic 403 with an UNAUTHORIZED error if the UUIDs do not match.

test/integration-tests/conversation/conversationTest.js

• Added a negative integration test (Should fail to post a conversation to a different org as a non-Secretariat Admin) to ensure unauthorized conversation creation attempts are blocked correctly.

Testing

Steps to manually test updated functionality, if possible

• 1) Authenticate as a non-Secretariat Admin (e.g. using win_5_admin@win_5.com).
• 2) Retrieve your organization's UUID using GET /api/registry/org/{short_name}.
• 3) Attempt to post a new conversation (POST /api/conversation/target/{random_uuid}) using a UUID other than your org's UUID. Verify you receive a 403 Forbidden with an UNAUTHORIZED error payload.
• 4) Attempt to post a new conversation (POST /api/conversation/target/{org_uuid}) using your actual org's UUID. Verify the request is successful.
• 5) Verify that the automated integration tests run cleanly (npm run test:integration -- test/integration-tests/conversation/conversationTest.js).

Notes

• Leveraging existing orgRepo.getOrgUUID(req.ctx.org) functionality to resolve the requestor's organization UUID efficiently without creating new custom error functions.