Fix issue in _ensureAccessibleForTaskChallenge

ThomasKranitsas · ThomasKranitsas · commit 24556a62332c · 2021-01-29T00:52:07.000+02:00
diff --git a/src/common/helper.js b/src/common/helper.js
@@ -857,18 +857,19 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {
  * @param {Object} challenge the challenge to check
  */
 async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {
-  let memberChallengeIds
+  let challengeResourceIds
   // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
-      memberChallengeIds = await listChallengesByMember(currentUser.userId)
-      if (!_.includes(memberChallengeIds, challenge.id)) {
+      const challengeResources = await getChallengeResources(challenge.id)
+      challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))
+      if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {
       }
     }
   }
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds || []), challenge.id) || currentUser.isMachine || hasAdminRole(currentUser)
+    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds || []), _.toString(currentUser.userId)) || currentUser.isMachine || hasAdminRole(currentUser)
     if (!canAccesChallenge) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }

Original file line number	Diff line number	Diff line change
`@@ -857,18 +857,19 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {`
`857`	`857`	`* @param {Object} challenge the challenge to check`
`858`	`858`	`*/`
`859`	`859`	`async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {`
`860`		`- let memberChallengeIds`
	`860`	`+ let challengeResourceIds`
`861`	`861`	`// Remove privateDescription for unregistered users`
`862`	`862`	`if (currentUser) {`
`863`	`863`	`if (!currentUser.isMachine) {`
`864`		`- memberChallengeIds = await listChallengesByMember(currentUser.userId)`
`865`		`- if (!_.includes(memberChallengeIds, challenge.id)) {`
	`864`	`+ const challengeResources = await getChallengeResources(challenge.id)`
	`865`	`+ challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))`
	`866`	`+ if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {`
`866`	`867`	`}`
`867`	`868`	`}`
`868`	`869`	`}`
`869`	`870`	`// Check if challenge is task and apply security rules`
`870`	`871`	`if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {`
`871`		`- const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds \|\| []), challenge.id) \|\| currentUser.isMachine \|\| hasAdminRole(currentUser)`
	`872`	`+ const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds \|\| []), _.toString(currentUser.userId)) \|\| currentUser.isMachine \|\| hasAdminRole(currentUser)`
`872`	`873`	`if (!canAccesChallenge) {`
`873`	`874`	throw new errors.ForbiddenError(`You don't have access to view this challenge`)
`874`	`875`	`}`