fix(get tasks): improve tests and add ability to fetch group tasks (#12339)

2025-12-17 22:57:21 +01:00 · 2020-06-26 16:50:49 +02:00
parent c7eae6f26b
commit 359ef47ce7
3 changed files with 156 additions and 47 deletions
--- a/website/server/controllers/api-v3/tasks.js
+++ b/website/server/controllers/api-v3/tasks.js
@@ -26,6 +26,7 @@ import common from '../../../common';
 import logger from '../../libs/logger';
 import apiError from '../../libs/apiError';

+// @TODO abstract, see api-v3/tasks/groups.js
 function canNotEditTasks (group, user, assignedUserId, taskPayload = null) {
  const isNotGroupLeader = group.leader !== user._id;
  const isManager = Boolean(group.managers[user._id]);
@@ -530,18 +531,20 @@ api.getTask = {

    if (!task) {
      throw new NotFound(res.t('taskNotFound'));
+    } else if (task.group.id && !task.userId) {
+      // @TODO: Abstract this access snippet
+      const fields = requiredGroupFields.concat(' managers');
+      const group = await Group.getGroup({ user, groupId: task.group.id, fields });
+      if (!group) throw new NotFound(res.t('taskNotFound'));

-    // If the task belongs to a challenge make sure the user has rights
+      const isNotGroupLeader = group.leader !== user._id;
+      if (!group.isMember(user) && isNotGroupLeader) throw new NotFound(res.t('taskNotFound'));
+    // If the task belongs to a challenge make sure the user has rights (leader, admin or members)
    } else if (task.challenge.id && !task.userId) {
-      const challenge = await Challenge.find({ _id: task.challenge.id }).select('leader').exec();
-      if (
-        !challenge
-        || (
-          user.challenges.indexOf(task.challenge.id) === -1
-          && challenge.leader !== user._id
-          && !user.contributor.admin
-        )
-      ) { // eslint-disable-line no-extra-parens
+      const challenge = await Challenge.findOne({ _id: task.challenge.id }).select('leader').exec();
+      // @TODO: Abstract this access snippet
+      if (!challenge) throw new NotFound(res.t('taskNotFound'));
+      if (!challenge.canModify(user) && !challenge.isMember(user)) {
        throw new NotFound(res.t('taskNotFound'));
      }

@@ -628,7 +631,7 @@ api.updateTask = {
    if (!task) {
      throw new NotFound(res.t('taskNotFound'));
    } else if (task.group.id && !task.userId) {
-      //  @TODO: Abstract this access snippet
+      // @TODO: Abstract this access snippet
      const fields = requiredGroupFields.concat(' managers');
      group = await Group.getGroup({ user, groupId: task.group.id, fields });
      if (!group) throw new NotFound(res.t('groupNotFound'));
--- a/website/server/controllers/api-v3/tasks/groups.js
+++ b/website/server/controllers/api-v3/tasks/groups.js
@@ -21,6 +21,7 @@ const types = Tasks.tasksTypes.map(type => `${type}s`);
 // _allCompletedTodos is currently in BETA and is likely to be removed in future
 types.push('completedTodos', '_allCompletedTodos');

+// @TODO abstract this snipped (also see api-v3/tasks.js)
 function canNotEditTasks (group, user, assignedUserId) {
  const isNotGroupLeader = group.leader !== user._id;
  const isManager = Boolean(group.managers[user._id]);