From 7de8f4095919e3cac344ddc615b94bf0c4d60367 Mon Sep 17 00:00:00 2001
From: dbarkowsky <dylanbarkowsky@gmail.com>
Date: Thu, 19 Dec 2024 11:51:35 -0800
Subject: [PATCH] add check for agencyid when updating properties

---
 express-api/src/services/buildings/buildingServices.ts | 4 +++-
 express-api/src/services/parcels/parcelServices.ts     | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/express-api/src/services/buildings/buildingServices.ts b/express-api/src/services/buildings/buildingServices.ts
index 63cb189f4..97605fbfd 100644
--- a/express-api/src/services/buildings/buildingServices.ts
+++ b/express-api/src/services/buildings/buildingServices.ts
@@ -69,12 +69,14 @@ export const updateBuildingById = async (
   user: PimsRequestUser,
 ) => {
   const existingBuilding = await getBuildingById(building.Id);
+  // Does this building exist?
   if (!existingBuilding) {
     throw new ErrorWithCode('Building does not exists.', 404);
   }
+  // Does the user have permissions to change its agency?
   const validUserAgencies = await userServices.getAgencies(user.Username);
   const isAdmin = user.hasOneOfRoles([Roles.ADMIN]);
-  if (!isAdmin && !validUserAgencies.includes(building.AgencyId)) {
+  if (!isAdmin && building.AgencyId && !validUserAgencies.includes(building.AgencyId)) {
     throw new ErrorWithCode('This agency change is not permitted.', 403);
   }
   if (building.Fiscals && building.Fiscals.length) {
diff --git a/express-api/src/services/parcels/parcelServices.ts b/express-api/src/services/parcels/parcelServices.ts
index 2580e748c..adeffaed8 100644
--- a/express-api/src/services/parcels/parcelServices.ts
+++ b/express-api/src/services/parcels/parcelServices.ts
@@ -159,13 +159,15 @@ const updateParcel = async (incomingParcel: DeepPartial<Parcel>, user: PimsReque
   if (incomingParcel.PID == null && incomingParcel.PIN == null) {
     throw new ErrorWithCode('Must include PID or PIN in parcel data.', 400);
   }
+  // Does this parcel exist?
   const findParcel = await getParcelById(incomingParcel.Id);
   if (findParcel == null || findParcel.Id !== incomingParcel.Id) {
     throw new ErrorWithCode('Parcel not found', 404);
   }
+  // Does the user have permissions to change its agency?
   const validUserAgencies = await userServices.getAgencies(user.Username);
   const isAdmin = user.hasOneOfRoles([Roles.ADMIN]);
-  if (!isAdmin && !validUserAgencies.includes(incomingParcel.AgencyId)) {
+  if (!isAdmin && incomingParcel.AgencyId && !validUserAgencies.includes(incomingParcel.AgencyId)) {
     throw new ErrorWithCode('This agency change is not permitted.', 403);
   }
   if (incomingParcel.Fiscals && incomingParcel.Fiscals.length) {