Fix issue in _ensureAccessibleForTaskChallenge

ThomasKranitsas · ThomasKranitsas · commit bfae357d324a · 2021-01-29T00:48:17.000+02:00
diff --git a/src/common/helper.js b/src/common/helper.js
@@ -863,18 +863,19 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {
  * @param {Object} challenge the challenge to check
  */
 async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {
-  let memberChallengeIds
+  let challengeResourceIds
   // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
-      memberChallengeIds = await listChallengesByMember(currentUser.userId)
-      if (!_.includes(memberChallengeIds, challenge.id)) {
+      const challengeResources = await getChallengeResources(challenge.id)
+      challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))
+      if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {
       }
     }
   }
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds || []), challenge.id) || currentUser.isMachine || hasAdminRole(currentUser)
+    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds || []), _.toString(currentUser.userId)) || currentUser.isMachine || hasAdminRole(currentUser)
     if (!canAccesChallenge) {
       throw new errors.ForbiddenError(`You don't have access to view this task as you don't have a resource on it`)
     }

Original file line number	Diff line number	Diff line change
`@@ -863,18 +863,19 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {`
`863`	`863`	`* @param {Object} challenge the challenge to check`
`864`	`864`	`*/`
`865`	`865`	`async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {`
`866`		`- let memberChallengeIds`
	`866`	`+ let challengeResourceIds`
`867`	`867`	`// Remove privateDescription for unregistered users`
`868`	`868`	`if (currentUser) {`
`869`	`869`	`if (!currentUser.isMachine) {`
`870`		`- memberChallengeIds = await listChallengesByMember(currentUser.userId)`
`871`		`- if (!_.includes(memberChallengeIds, challenge.id)) {`
	`870`	`+ const challengeResources = await getChallengeResources(challenge.id)`
	`871`	`+ challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))`
	`872`	`+ if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {`
`872`	`873`	`}`
`873`	`874`	`}`
`874`	`875`	`}`
`875`	`876`	`// Check if challenge is task and apply security rules`
`876`	`877`	`if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {`
`877`		`- const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds \|\| []), challenge.id) \|\| currentUser.isMachine \|\| hasAdminRole(currentUser)`
	`878`	`+ const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds \|\| []), _.toString(currentUser.userId)) \|\| currentUser.isMachine \|\| hasAdminRole(currentUser)`
`878`	`879`	`if (!canAccesChallenge) {`
`879`	`880`	throw new errors.ForbiddenError(`You don't have access to view this task as you don't have a resource on it`)
`880`	`881`	`}`