allow challenges to be edited, deleted, closed by admin users (moderators and staff) through the web UI (not by API calls)

2025-12-19 15:48:04 +01:00 · 2015-08-16 16:50:15 +10:00
parent 8e667b1019
commit 53f861f3c0
2 changed files with 4 additions and 4 deletions
--- a/website/src/controllers/challenges.js
+++ b/website/src/controllers/challenges.js
@@ -225,7 +225,7 @@ api.update = function(req, res, next){
    },
    function(_before, cb) {
      if (!_before) return cb('Challenge ' + cid + ' not found');
-      if (_before.leader != user._id) return cb("You don't have permissions to edit this challenge");
+      if (_before.leader != user._id && !user.contributor.admin) return cb("You don't have permissions to edit this challenge");
      // Update the challenge, since syncing will need the updated challenge. But store `before` we're going to do some
      // before-save / after-save comparison to determine if we need to sync to users
      before = _before;
@@ -307,7 +307,7 @@ api['delete'] = function(req, res, next){
    },
    function(chal, cb){
      if (!chal) return cb('Challenge ' + cid + ' not found');
-      if (chal.leader != user._id) return cb("You don't have permissions to edit this challenge");
+      if (chal.leader != user._id && !user.contributor.admin) return cb("You don't have permissions to delete this challenge");
      if (chal.group != 'habitrpg') user.balance += chal.prize/4; // Refund gems to user if a non-tavern challenge
      user.save(cb);
    },
@@ -336,7 +336,7 @@ api.selectWinner = function(req, res, next) {
    function(_chal, cb){
      chal = _chal;
      if (!chal) return cb('Challenge ' + cid + ' not found');
-      if (chal.leader != user._id) return cb("You don't have permissions to edit this challenge");
+      if (chal.leader != user._id && !user.contributor.admin) return cb("You don't have permissions to close this challenge");
      User.findById(req.query.uid, cb)
    },
    function(winner, cb){