From 24556a62332c42c91ff25cc0ceeccc515ca9b98a Mon Sep 17 00:00:00 2001
From: Thomas Kranitsas <kranitsasthomas@gmail.com>
Date: Fri, 29 Jan 2021 00:52:07 +0200
Subject: [PATCH 1/2] Fix issue in _ensureAccessibleForTaskChallenge

---
 src/common/helper.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/common/helper.js b/src/common/helper.js
index d7b913c8..ef6e116c 100644
--- a/src/common/helper.js
+++ b/src/common/helper.js
@@ -857,18 +857,19 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {
  * @param {Object} challenge the challenge to check
  */
 async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {
-  let memberChallengeIds
+  let challengeResourceIds
   // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
-      memberChallengeIds = await listChallengesByMember(currentUser.userId)
-      if (!_.includes(memberChallengeIds, challenge.id)) {
+      const challengeResources = await getChallengeResources(challenge.id)
+      challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))
+      if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {
       }
     }
   }
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((memberChallengeIds || []), challenge.id) || currentUser.isMachine || hasAdminRole(currentUser)
+    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds || []), _.toString(currentUser.userId)) || currentUser.isMachine || hasAdminRole(currentUser)
     if (!canAccesChallenge) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }

From 8120164729ccd3df68f4d155dac492dba4fdd798 Mon Sep 17 00:00:00 2001
From: Thomas Kranitsas <kranitsasthomas@gmail.com>
Date: Fri, 29 Jan 2021 01:07:15 +0200
Subject: [PATCH 2/2] clean up

---
 src/common/helper.js | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/common/helper.js b/src/common/helper.js
index ef6e116c..2dff530b 100644
--- a/src/common/helper.js
+++ b/src/common/helper.js
@@ -858,18 +858,15 @@ async function ensureAccessibleByGroupsAccess (currentUser, challenge) {
  */
 async function _ensureAccessibleForTaskChallenge (currentUser, challenge) {
   let challengeResourceIds
-  // Remove privateDescription for unregistered users
   if (currentUser) {
     if (!currentUser.isMachine) {
       const challengeResources = await getChallengeResources(challenge.id)
       challengeResourceIds = _.map(challengeResources, r => _.toString(r.memberId))
-      if (!_.includes(challengeResourceIds, _.toString(currentUser.userId))) {
-      }
     }
   }
   // Check if challenge is task and apply security rules
   if (_.get(challenge, 'task.isTask', false) && _.get(challenge, 'task.isAssigned', false)) {
-    const canAccesChallenge = _.isUndefined(currentUser) ? false : _.includes((challengeResourceIds || []), _.toString(currentUser.userId)) || currentUser.isMachine || hasAdminRole(currentUser)
+    const canAccesChallenge = _.isUndefined(currentUser) ? false : currentUser.isMachine || hasAdminRole(currentUser) || _.includes((challengeResourceIds || []), _.toString(currentUser.userId))
     if (!canAccesChallenge) {
       throw new errors.ForbiddenError(`You don't have access to view this challenge`)
     }