Skip to content

Commit b9b4995

Browse files
ThomasKranitsasThomasKranitsas
committed
refactor security rules on task exclusion
1 parent 6651baf commit b9b4995

File tree

1 file changed

+6
-28
lines changed

1 file changed

+6
-28
lines changed

src/services/ChallengeService.js

+6-28
Original file line numberDiff line numberDiff line change
@@ -339,33 +339,11 @@ async function searchChallenges (currentUser, criteria) {
339339
}
340340
}
341341

342-
/*
343-
Long and drawn out filter to hide tasks from challenge list unless:
344-
1. You're not specifically searching for them (What if you include a task type in your filter, do you see assigned ones?)
345-
2. You're not searching for a legacyId
346-
3. You're not getting a member's challenges
347-
4. You're not an M2M or Admin
348-
5. The member ID is not the current requesting user JWT
349-
*/
350342
// FIXME: Tech Debt
351-
let excludeTasks = false
352-
// If you're not looking for a particular type or a specific challenge, exclude tasks
353-
if (_.isUndefined(criteria.type) && includedTypeIds.length === 0 && _.isUndefined(criteria.legacyId)) {
354-
excludeTasks = true
355-
}
356-
if (!_.isUndefined(criteria.memberId)) {
357-
// If a memberId is provided by a non-admin/M2M, exclude tasks
358-
if (!helper.hasAdminRole(currentUser) && !_.get(currentUser, 'isMachine', false)) {
359-
excludeTasks = true
360-
}
361-
// If the authenticated member is not looking for his own challenges, exclude tasks
362-
if (criteria.memberId !== _.get(currentUser, 'userId')) {
363-
excludeTasks = true
364-
}
365-
}
366-
// Exclude tasks for unauthenticated users
367-
if (_.isUndefined(currentUser)) {
368-
excludeTasks = true
343+
let excludeTasks = true
344+
// if you're an admin or m2m, security rules wont be applied
345+
if (currentUser && (helper.hasAdminRole(currentUser) || _.get(currentUser, 'isMachine', false))) {
346+
excludeTasks = false
369347
}
370348

371349
/**
@@ -384,8 +362,8 @@ async function searchChallenges (currentUser, criteria) {
384362
if (criteria.taskIsAssigned) {
385363
boolQuery.push({ match_phrase: { 'task.isAssigned': criteria.taskIsAssigned } })
386364
}
387-
if (criteria.taskMemberId) {
388-
boolQuery.push({ match_phrase: { 'task.memberId': criteria.taskMemberId } })
365+
if (criteria.taskMemberId || criteria.memberId) {
366+
boolQuery.push({ match_phrase: { 'task.memberId': criteria.taskMemberId || criteria.memberId } })
389367
}
390368
} else if (excludeTasks) {
391369
mustQuery.push({

0 commit comments

Comments
 (0)