fix(challenge): don't pierce privacy on GET/:id

2025-12-18 07:07:35 +01:00 · 2023-08-15 15:21:28 -05:00
parent 8f64afe9df
commit 1ea954ab10
2 changed files with 2 additions and 1 deletions
--- a/website/server/controllers/api-v3/challenges.js
+++ b/website/server/controllers/api-v3/challenges.js
@@ -575,7 +575,7 @@ api.getChallenge = {

    // Fetching basic group data
    const group = await Group.getGroup({
-      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`, optionalMembership: true,
+      user, groupId: challenge.group, fields: `${basicGroupFields} purchased`,
    });
    if (!group && !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));
    const chalRes = challenge.toJSON();
--- a/website/server/models/challenge.js
+++ b/website/server/models/challenge.js
@@ -93,6 +93,7 @@ schema.methods.canModify = function canModifyChallenge (user) {
 schema.methods.canJoin = function canJoinChallenge (user, group) {
  // for when leader has left private group that contains the challenge
  if (this.isLeader(user)) return true;
+  if (!group) return false;
  if (group.type === 'guild' && group.privacy === 'public') {
    return group._id === TAVERN_ID;
  }