fix /challenges/:uuid

ThomasKranitsas · ThomasKranitsas · commit e0cc722a3d26 · 2020-09-03T19:37:09.000+03:00
diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -947,25 +947,27 @@ async function getChallenge (currentUser, id) {
   // }
   // delete challenge.typeId
 
-  // Check if challenge is task and apply security rules
-  if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    if (!currentUser || (!currentUser.isMachine && !helper.hasAdminRole(currentUser) && _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId')))) {
-      throw new errors.ForbiddenError(`You don't have access to view this challenge`)
-    }
-  }
-
+  let memberChallengeIds
   // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
-      const ids = await helper.listChallengesByMember(currentUser.userId)
-      if (!_.includes(ids, challenge.id)) {
+      memberChallengeIds = await helper.listChallengesByMember(currentUser.userId)
+      if (!_.includes(memberChallengeIds, challenge.id)) {
         _.unset(challenge, 'privateDescription')
       }
     }
   } else {
     _.unset(challenge, 'privateDescription')
   }
 
+  // Check if challenge is task and apply security rules
+  if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
+    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds || []), challenge.id) || currentUser.isMachine || helper.hasAdminRole(currentUser)
+    if (!canAccesChallenge) {
+      throw new errors.ForbiddenError(`You don't have access to view this challenge`)
+    }
+  }
+
   if (challenge.phases && challenge.phases.length > 0) {
     await getPhasesAndPopulate(challenge)
   }
