fix access control when getting tasks for a challenge

website/src/controllers/api-v3/tasks.js

@@ -194,7 +194,7 @@ api.getChallengeTasks = {
     let user = res.locals.user;
     let challengeId = req.params.challengeId;
 
-    let challenge = await Challenge.findOne({_id: challengeId}).select('leader').exec();
+    let challenge = await Challenge.findOne({_id: challengeId}).select('groupId leader').exec();
     if (!challenge) throw new NotFound(res.t('challengeNotFound'));
     let group = await Group.getGroup({user, groupId: challenge.groupId, fields: '_id type privacy', optionalMembership: true});
     if (!group || !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));