Merge branch 'develop' into sabrecat/teams-rebase

website/server/controllers/api-v3/chat.js

@@ -1,3 +1,4 @@
+import moment from 'moment';
 import nconf from 'nconf';
 import { authWithHeaders } from '../../middlewares/auth';
 import { model as Group } from '../../models/group';
@@ -22,7 +23,11 @@ import { getMatchesByWordArray } from '../../libs/stringUtils';
 import bannedSlurs from '../../libs/bannedSlurs';
 import apiError from '../../libs/apiError';
 import highlightMentions from '../../libs/highlightMentions';
+import { getAnalyticsServiceByEnvironment } from '../../libs/analyticsService';
 
+const analytics = getAnalyticsServiceByEnvironment();
+
+const ACCOUNT_MIN_CHAT_AGE = Number(nconf.get('ACCOUNT_MIN_CHAT_AGE'));
 const FLAG_REPORT_EMAILS = nconf.get('FLAG_REPORT_EMAIL').split(',').map(email => ({ email, canSend: true }));
 
 /**
@@ -188,6 +193,17 @@ api.postChat = {
       throw new NotAuthorized(res.t('messageGroupChatSpam'));
     }
 
+    // Check if account is newer than the minimum age for chat participation
+    if (moment().diff(user.auth.timestamps.created, 'minutes') < ACCOUNT_MIN_CHAT_AGE) {
+      analytics.track('chat age error', {
+        uuid: user._id,
+        hitType: 'event',
+        category: 'behavior',
+        headers: req.headers,
+      });
+      throw new BadRequest(res.t('chatTemporarilyUnavailable'));
+    }
+
     const sanitizedMessageText = sanitizeMessageText(req.body.message);
     const [message, mentions, mentionedMembers] = await highlightMentions(sanitizedMessageText);
     let client = req.headers['x-client'] || '3rd Party';

website/server/controllers/api-v3/hall.js

@@ -267,7 +267,11 @@ api.updateHero = {
     const hero = await User.findById(heroId).exec();
     if (!hero) throw new NotFound(res.t('userWithIDNotFound', { userId: heroId }));
 
-    if (updateData.balance) hero.balance = updateData.balance;
+    if (updateData.balance) {
+      await hero.updateBalance(updateData.balance - hero.balance, 'admin_update_balance', '', 'Given by Habitica staff');
+
+      hero.balance = updateData.balance;
+    }
 
     // give them gems if they got an higher level
     // tier = level in this context
@@ -323,7 +327,9 @@ api.updateHero = {
       }
     }
 
-    if (updateData.changeApiToken) hero.apiToken = common.uuid();
+    if (updateData.changeApiToken) {
+      hero.apiToken = common.uuid();
+    }
 
     const savedHero = await hero.save();
     const heroJSON = savedHero.toJSON();

website/server/controllers/api-v3/members.js

@@ -714,8 +714,8 @@ api.transferGems = {
       throw new NotAuthorized(res.t('badAmountOfGemsToSend'));
     }
 
-    await receiver.updateBalance(amount, 'gift_receive', sender._id, sender.profile.name);
-    await sender.updateBalance(-amount, 'gift_send', sender._id, receiver.profile.name);
+    await receiver.updateBalance(amount, 'gift_receive', sender._id, sender.auth.local.username);
+    await sender.updateBalance(-amount, 'gift_send', sender._id, receiver.auth.local.username);
     // @TODO necessary? Also saved when sending the inbox message
     const promises = [receiver.save(), sender.save()];
     await Promise.all(promises);

website/server/controllers/api-v4/members.js

@@ -64,9 +64,15 @@ api.purchaseHistory = {
     req.checkParams('memberId', res.t('memberIdRequired')).notEmpty().isUUID();
     const validationErrors = req.validationErrors();
     if (validationErrors) throw validationErrors;
-    const transactions = await Transaction
+    let transactions = await Transaction
       .find({ userId: req.params.memberId })
-      .sort({ createdAt: -1 });
+      .sort({ createdAt: -1 })
+      .exec();
+
+    if (!res.locals.user.hasPermission('userSupport')) {
+      transactions = transactions.filter(t => t.transactionType !== 'create_bank_challenge');
+    }
+
     res.respond(200, transactions);
   },
 };