krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-19 15:48:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

update hasAccess to include public guilds

Browse Source
This commit is contained in:
Matteo Pagliazzi
2016-02-02 19:13:29 +01:00
parent 2ad5dbcc74
commit 509dffd0c7
2 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
website/src/controllers/api-v3/challenges.js
View File

@@ -120,11 +120,10 @@ api.joinChallenge = {
let challenge = await Challenge.findOne({ _id: req.params.challengeId }); let challenge = await Challenge.findOne({ _id: req.params.challengeId });
if (!challenge) throw new NotFound(res.t('challengeNotFound')); if (!challenge) throw new NotFound(res.t('challengeNotFound'));
if (challenge.isMember(user)) throw new NotAuthorized(res.t('userAlreadyInChallenge'));
let group = await Group.getGroup({user, groupId: challenge.groupId, fields: '_id type privacy', optionalMembership: true}); let group = await Group.getGroup({user, groupId: challenge.groupId, fields: '_id type privacy', optionalMembership: true});
if (!group || !challenge.canView(user, group)) throw new NotFound(res.t('challengeNotFound')); if (!group || !challenge.hasAccess(user, group)) throw new NotFound(res.t('challengeNotFound'));
if (_.contains(user.challenges, challenge._id)) throw new NotAuthorized(res.t('userAlreadyInChallenge'));
challenge.memberCount += 1; challenge.memberCount += 1;

11
website/src/models/challenge.js
View File

@@ -47,20 +47,19 @@ schema.methods.canModify = function canModifyChallenge (user) {
}; };
// Returns true if user has access to the challenge (can join) // Returns true if user has access to the challenge (can join)
schema.methods.hasAccess = function hasAccessToChallenge (user) { schema.methods.hasAccess = function hasAccessToChallenge (user, group) {
if (group.type === 'guild' && group.privacy === 'public') return true;
let userGroups = user.guilds.slice(0); // clone user.guilds so we don't modify the original let userGroups = user.guilds.slice(0); // clone user.guilds so we don't modify the original
if (user.party._id) userGroups.push(user.party._id); if (user.party._id) userGroups.push(user.party._id);
userGroups.push('habitrpg'); // tavern userGroups.push('habitrpg'); // tavern
return this.canModify(user) || userGroups.indexOf(this.groupId) !== -1; return userGroups.indexOf(this.groupId) !== -1;
}; };
// Returns true if user can view the challenge // Returns true if user can view the challenge
// Different from hasAccess because challenges of public guilds can be viewed by everyone // Different from hasAccess because you can see challenges of groups you've been removed from if you're partecipating in them
// And also because you can see challenges of groups you've been removed from
schema.methods.canView = function canViewChallenge (user, group) { schema.methods.canView = function canViewChallenge (user, group) {
if (group.type === 'guild' && group.privacy === 'public') return true;
if (this.isMember(user)) return true; if (this.isMember(user)) return true;
return this.hasAccess(user); return this.hasAccess(user, group);
}; };
// Takes a Task document and return a plain object of attributes that can be synced to the user // Takes a Task document and return a plain object of attributes that can be synced to the user