mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-18 15:17:25 +01:00
fix access control when getting tasks for a challenge
This commit is contained in:
Matteo Pagliazzi
@@ -194,7 +194,7 @@ api.getChallengeTasks = {
|
|||||||
let user = res.locals.user;
|
let user = res.locals.user;
|
||||||
let challengeId = req.params.challengeId;
|
let challengeId = req.params.challengeId;
|
||||||
|
|
||||||
let challenge = await Challenge.findOne({_id: challengeId}).select('leader').exec();
|
let challenge = await Challenge.findOne({_id: challengeId}).select('groupId leader').exec();
|
||||||
if (!challenge) throw new NotFound(res.t('challengeNotFound'));
|
if (!challenge) throw new NotFound(res.t('challengeNotFound'));
|
||||||
let group = await Group.getGroup({user, groupId: challenge.groupId, fields: '_id type privacy', optionalMembership: true});
|
let group = await Group.getGroup({user, groupId: challenge.groupId, fields: '_id type privacy', optionalMembership: true});
|
||||||
if (!group || !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));
|
if (!group || !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound'));
|
||||||
|
|||||||
Reference in New Issue
Block a user