fix security rules when getting a single challenge

ThomasKranitsas · ThomasKranitsas · commit 1566d0f1da71 · 2020-08-07T22:26:35.000+03:00
diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -946,7 +946,7 @@ async function getChallenge (currentUser, id) {
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
     const skipAccessCheck = !currentUser ? false : currentUser.isMachine || helper.hasAdminRole(currentUser)
-    if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.get(challenge, 'task.memberId')) {
+    if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId'))) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -946,7 +946,7 @@ async function getChallenge (currentUser, id) {`
`946`	`946`	`// Check if challenge is task and apply security rules`
`947`	`947`	`if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {`
`948`	`948`	`const skipAccessCheck = !currentUser ? false : currentUser.isMachine \|\| helper.hasAdminRole(currentUser)`
`949`		`- if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.get(challenge, 'task.memberId')) {`
	`949`	`+ if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId'))) {`
`950`	`950`	throw new errors.ForbiddenError(`You don't have access to view this challenge`)
`951`	`951`	`}`
`952`	`952`	`}`