Resolves #1176 For GET /cve-id, redacts requested_by.user value for situations when cve-ids changes orgs, and when users change orgs

[jdaigneau5]

Closes Issue #1176

Summary

When calling the GET /cve-id endpoint as a non Secretariat user, in the returned cve-id data, therequested_by.user value is now redacted when that user is not in the requested_by.cna organization. Also, the same value is redacted when the owning_cna is not the same organization as the requested_by.cna organization.

Important Changes

cve-id.controller.js

• Modified getFiliteredCveId() to check if requested_by.user is not part of requested_by.cna org .
• Modified getFilteredCveId() to check owning_cna is not the same org as requested_by.cna org.
• Added REDACTED value for the above situations.
• Added integration tests

Testing

Run npm run test:integration for automated testing.

Steps to manually test updated functionality, if possible

• 1) Substantial test data needs to be created for manual testing:
  - Create two test organizations: testOrgA and testOrgB
  - Create two users in testOrgA, and one user in testOrgB
  - Reserve 1 Cve-Id as user1 in testOrgA, and 1 Cve-Id as user2 in testOrgA
• 2) As a Secretariat user, move user1 from testOrgA to testOrgB
• 3) As user2 in testOrgA, call GET /cve-id. Both reserved Cve-ids should be shown, but one will have requested_by.user: REDACTED.
• 4) As a Secretariat user, call PUT /cve-id on the second reserved Cve-id, and updating the org to testOrgB.
• 5) As user1 in testOrgB, call GET /cve-id, one reserved Cve-Id should be returned with requested_by.user : REDACTED

[david-rocca]

Tests pass: LGTM