fix(group-plans): shared completion, URL exploit

2025-12-16 22:27:26 +01:00 · 2022-06-08 16:46:22 -05:00
parent 87944c45c3
commit 0b1907fe07
4 changed files with 35 additions and 21 deletions
--- a/website/server/libs/tasks/index.js
+++ b/website/server/libs/tasks/index.js
@@ -245,6 +245,11 @@ function canNotEditTasks (group, user, assignedUserId) {
  return isNotGroupLeader && !isManager && !userIsAssigningToSelf;
 }

+function groupSubscriptionNotFound (group) {
+  return !group || !group.purchased || !group.purchased.plan || !group.purchased.plan.customerId
+   || (group.purchased.plan.dateTerminated && group.purchased.plan.dateTerminated < new Date());
+}
+
 async function getGroupFromTaskAndUser (task, user) {
  if (task.group.id && !task.userId) {
    const fields = requiredGroupFields.concat(' managers');
@@ -550,5 +555,6 @@ export {
  canNotEditTasks,
  getGroupFromTaskAndUser,
  getChallengeFromTask,
+  groupSubscriptionNotFound,
  verifyTaskModification,
 };