fix(challenge): don't pierce privacy on GET/:id

2025-12-17 22:57:21 +01:00 · 2023-08-15 15:21:28 -05:00
parent 8f64afe9df
commit 1ea954ab10
2 changed files with 2 additions and 1 deletions
--- a/website/server/controllers/api-v3/challenges.js
+++ b/website/server/controllers/api-v3/challenges.js
@@ -575,7 +575,7 @@ api.getChallenge = {

    // Fetching basic group data
    const group = await Group.getGroup({
-      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`, optionalMembership: true,
+      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`,
    });
    if (!group && !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));
    const chalRes = challenge.toJSON();