fix(challenge): don't pierce privacy on GET/:id

website/server/controllers/api-v3/challenges.js

@@ -575,7 +575,7 @@ api.getChallenge = {
 
     // Fetching basic group data
     const group = await Group.getGroup({
-      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`, optionalMembership: true,
+      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`,
     });
     if (!group && !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));
     const chalRes = challenge.toJSON();

website/server/models/challenge.js

@@ -93,6 +93,7 @@ schema.methods.canModify = function canModifyChallenge (user) {
 schema.methods.canJoin = function canJoinChallenge (user, group) {
   // for when leader has left private group that contains the challenge
   if (this.isLeader(user)) return true;
+  if (!group) return false;
   if (group.type === 'guild' && group.privacy === 'public') {
     return group._id === TAVERN_ID;
   }