Apply task security rules when fetching a single challenge

ThomasKranitsas · ThomasKranitsas · commit 5fb05a60757e · 2020-08-02T20:37:23.000+03:00
diff --git a/src/services/ChallengeService.js b/src/services/ChallengeService.js
@@ -895,6 +895,14 @@ async function getChallenge (currentUser, id) {
   // }
   // delete challenge.typeId
 
+  // Check if challenge is task and apply security rules
+  if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
+    const skipAccessCheck = !currentUser ? false : currentUser.isMachine || helper.hasAdminRole(currentUser)
+    if (!skipAccessCheck && currentUser.userId !== _.get(challenge, 'task.memberId')) {
+      throw new errors.ForbiddenError(`You don't have access to view this challenge`)
+    }
+  }
+
   // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
