Challenge privacy fix (#11222)

* fix(challenges): filter out private content API-side

* fix(challenges): cleaner fix + test

test/api/v3/integration/challenges/GET-challenges_user.test.js

@@ -171,7 +171,7 @@ describe('GET challenges/user', () => {
       });
     });
 
-    it('should return not return challenges in user groups if we send member true param', async () => {
+    it('should not return challenges in user groups if we send member true param', async () => {
       let challenges = await member.get(`/challenges/user?member=${true}`);
 
       let foundChallenge1 = _.find(challenges, { _id: challenge._id });
@@ -214,6 +214,28 @@ describe('GET challenges/user', () => {
       let foundChallenge = _.find(challenges, { _id: privateChallenge._id });
       expect(foundChallenge).to.not.exist;
     });
+
+    it('should not return challenges user doesn\'t have access to, even with query parameters', async () => {
+      let { group, groupLeader } = await createAndPopulateGroup({
+        groupDetails: {
+          name: 'TestPrivateGuild',
+          summary: 'summary for TestPrivateGuild',
+          type: 'guild',
+          privacy: 'private',
+        },
+      });
+
+      let privateChallenge = await generateChallenge(groupLeader, group, {categories: [{
+        name: 'academics',
+        slug: 'academics',
+      }]});
+      await groupLeader.post(`/challenges/${privateChallenge._id}/join`);
+
+      let challenges = await nonMember.get('/challenges/user?categories=academics&owned=not_owned');
+
+      let foundChallenge = _.find(challenges, { _id: privateChallenge._id });
+      expect(foundChallenge).to.not.exist;
+    });
   });
 
   context('official challenge is present', () => {