krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 14:47:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Challenge privacy fix (#11222)

Browse Source 
* fix(challenges): filter out private content API-side

* fix(challenges): cleaner fix + test
This commit is contained in:
Sabe Jones
2019-06-13 09:27:47 -05:00
committed by GitHub
parent 5630e8cc8e
commit 6b59262e3e
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
test/api/v3/integration/challenges/GET-challenges_user.test.js
View File

@@ -171,7 +171,7 @@ describe('GET challenges/user', () => {
}); });
}); });
it('should return not return challenges in user groups if we send member true param', async () => { it('should not return challenges in user groups if we send member true param', async () => {
let challenges = await member.get(`/challenges/user?member=${true}`); let challenges = await member.get(`/challenges/user?member=${true}`);
let foundChallenge1 = _.find(challenges, { _id: challenge._id }); let foundChallenge1 = _.find(challenges, { _id: challenge._id });
@@ -214,6 +214,28 @@ describe('GET challenges/user', () => {
let foundChallenge = _.find(challenges, { _id: privateChallenge._id }); let foundChallenge = _.find(challenges, { _id: privateChallenge._id });
expect(foundChallenge).to.not.exist; expect(foundChallenge).to.not.exist;
}); });
it('should not return challenges user doesn\'t have access to, even with query parameters', async () => {
let { group, groupLeader } = await createAndPopulateGroup({
groupDetails: {
name: 'TestPrivateGuild',
summary: 'summary for TestPrivateGuild',
type: 'guild',
privacy: 'private',
},
});
let privateChallenge = await generateChallenge(groupLeader, group, {categories: [{
name: 'academics',
slug: 'academics',
}]});
await groupLeader.post(`/challenges/${privateChallenge._id}/join`);
let challenges = await nonMember.get('/challenges/user?categories=academics&owned=not_owned');
let foundChallenge = _.find(challenges, { _id: privateChallenge._id });
expect(foundChallenge).to.not.exist;
});
}); });
context('official challenge is present', () => { context('official challenge is present', () => {

4
website/server/controllers/api-v3/challenges.js
View File

@@ -366,11 +366,11 @@ api.getUserChallenges = {
if (owned) { if (owned) {
if (owned === 'not_owned') { if (owned === 'not_owned') {
query.$and = [{leader: {$ne: user._id}}]; query.$and.push({leader: {$ne: user._id}});
} }
if (owned === 'owned') { if (owned === 'owned') {
query.$and = [{leader: user._id}]; query.$and.push({leader: user._id});
} }
} }