From ea2a98d84aecdcda2a4b7de5abe24378cc35f4cb Mon Sep 17 00:00:00 2001
From: mr <morgane.roques@irt-saintexupery.com>
Date: Mon, 23 Mar 2026 08:11:24 +0100
Subject: [PATCH] ShouldVerifyAuthdisable on admin request

---
 models/utils/common.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/models/utils/common.go b/models/utils/common.go
index ebb1c25..c467697 100755
--- a/models/utils/common.go
+++ b/models/utils/common.go
@@ -106,15 +106,16 @@ func ModelGenericUpdateOne(change map[string]interface{}, id string, a Accessor)
 		if !ok {
 			return nil, nil, 403, errors.New("you are not allowed to update :" + a.GetType().String())
 		}
+		if a.ShouldVerifyAuth() && !r.VerifyAuth("update", a.GetRequest()) {
+			return nil, nil, 403, errors.New("you are not allowed to access :" + a.GetType().String())
+		}
 	}
 	r.UpToDate(a.GetUser(), a.GetPeerID(), false)
 	if a.GetPeerID() == r.GetCreatorID() {
 		r.Unsign()
 		r.Sign()
 	}
-	if a.ShouldVerifyAuth() && !r.VerifyAuth("update", a.GetRequest()) {
-		return nil, nil, 403, errors.New("you are not allowed to access :" + a.GetType().String())
-	}
+
 	loaded := r.Serialize(r) // get the loaded object
 
 	for k, v := range change { // apply the changes, with a flatten method