fix: allows leader of challenge to create new challenge tasks even when not a participant of the challenge. fixes #7918

closes #7924

test/api/v3/integration/tasks/challenges/POST-tasks_challenge_id.test.js

@@ -33,20 +33,19 @@ describe('POST /tasks/challenge/:challengeId', () => {
     });
   });
 
-  it('returns error when user does not have the challenge', async () => {
+  it('allows leader to add tasks to a challenge when not a member', async () => {
-    let userWithoutChallenge = await generateUser();
+    await user.post(`/challenges/${challenge._id}/leave`);
-
+    let task = await user.post(`/tasks/challenge/${challenge._id}`, {
-    await expect(userWithoutChallenge.post(`/tasks/challenge/${challenge._id}`, {
       text: 'test habit',
       type: 'habit',
       up: false,
       down: true,
       notes: 1976,
-    })).to.eventually.be.rejected.and.eql({
-      code: 404,
-      error: 'NotFound',
-      message: t('challengeNotFound'),
     });
+
+    let {tasksOrder} =  await user.get(`/challenges/${challenge._id}`);
+
+    expect(tasksOrder.habits).to.include(task.id);
   });
 
   it('returns error when user tries to create task with a alias', async () => {

website/server/controllers/api-v3/tasks.js

@@ -120,7 +120,7 @@ api.createChallengeTasks = {
     let challenge = await Challenge.findOne({_id: challengeId}).exec();
 
     // If the challenge does not exist, or if it exists but user is not the leader -> throw error
-    if (!challenge || user.challenges.indexOf(challengeId) === -1) throw new NotFound(res.t('challengeNotFound'));
+    if (!challenge) throw new NotFound(res.t('challengeNotFound'));
     if (challenge.leader !== user._id) throw new NotAuthorized(res.t('onlyChalLeaderEditTasks'));
 
     let tasks = await _createTasks(req, res, user, challenge);