Prevent the removal of a quest owner from a group, take 2 (#12695)

* add cannotRemoveQuestLeader string * throw error when member is quest leader * add the new apidoc error * change i18n key name * fix apidoc formatting and change key in throw() * add test for preventing removing quest owner * patch(groups): change error codes
2025-12-14 21:27:23 +01:00 · 2020-10-26 04:46:43 -05:00
parent 4fc260e552
commit 734e997345
3 changed files with 29 additions and 4 deletions
--- a/website/server/controllers/api-v3/groups.js
+++ b/website/server/controllers/api-v3/groups.js
@@ -908,9 +908,11 @@ function _sendMessageToRemoved (group, removedUser, message, isInGroup) {
 *     /api/v3/groups/party/removeMember/[User's ID]?message=Bye
 *
 * @apiError (400) {BadRequest} userIdrequired "memberId" cannot be empty or not a UUID
- * @apiError (400) {NotAuthorized} onlyLeaderCanRemoveMember Only the group
+ * @apiError (401) {NotAuthorized} onlyLeaderCanRemoveMember Only the group
                                                             leader can remove members.
- * @apiError (400) {NotAuthorized} memberCannotRemoveYourself Group leader cannot remove themselves
+ * @apiError (401) {NotAuthorized} memberCannotRemoveYourself Group leader cannot remove themselves
+ * @apiError (401) {NotAuthorized} cannotRemoveQuestOwner Group leader cannot remove
+                                                          the owner of an active quest
 * @apiError (404) {NotFound} groupMemberNotFound Group member was not found
 *
 * @apiSuccess {Object} data An empty object
@@ -976,8 +978,7 @@ api.removeGroupMember = {
      }

      if (group.quest && group.quest.leader === member._id) {
-        group.quest.key = undefined;
-        group.quest.leader = undefined;
+        throw new NotAuthorized(res.t('cannotRemoveQuestOwner'));
      } else if (group.quest && group.quest.members) {
        // remove member from quest
        delete group.quest.members[member._id];