Merge pull request #262 from topcoder-platform/develop

ThomasKranitsas · web-flow · commit 145b29da648e · 2020-08-07T23:02:35.000+03:00
Fix security issues
diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -945,8 +945,7 @@ async function getChallenge (currentUser, id) {
 
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    const skipAccessCheck = !currentUser ? false : currentUser.isMachine || helper.hasAdminRole(currentUser)
-    if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.get(challenge, 'task.memberId')) {
+    if (!currentUser || !(currentUser.isMachine || helper.hasAdminRole(currentUser)) || _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId'))) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -945,8 +945,7 @@ async function getChallenge (currentUser, id) {`
`945`	`945`
`946`	`946`	`// Check if challenge is task and apply security rules`
`947`	`947`	`if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {`
`948`		`- const skipAccessCheck = !currentUser ? false : currentUser.isMachine \|\| helper.hasAdminRole(currentUser)`
`949`		`- if (!skipAccessCheck && currentUser && _.toString(currentUser.userId) !== _.get(challenge, 'task.memberId')) {`
	`948`	`+ if (!currentUser \|\| !(currentUser.isMachine \|\| helper.hasAdminRole(currentUser)) \|\| _.toString(currentUser.userId) !== _.toString(_.get(challenge, 'task.memberId'))) {`
`950`	`949`	throw new errors.ForbiddenError(`You don't have access to view this challenge`)
`951`	`950`	`}`
`952`	`951`	`}`