fix: Corrects logic where it was possible to customize avatar

with gem purchasable items without purchasing them.

Closes #6427
Closes #6448

lint(common): Add unnecessary quotes to make object look less weird

website/src/controllers/api-v2/user.js

@@ -11,7 +11,9 @@ var Group = require('./../../models/group').model;
 var Challenge = require('./../../models/challenge').model;
 var moment = require('moment');
 var logging = require('./../../libs/logging');
-var acceptablePUTPaths;
+let acceptablePUTPaths;
+let restrictedPUTSubPaths;
+
 var api = module.exports;
 var qs = require('qs');
 var firebase = require('../../libs/firebase');
@@ -284,17 +286,44 @@ api.getUserAnonymized = function(req, res, next) {
  * The trick here is to only accept leaf paths, not root/intermediate paths (see http://goo.gl/OEzkAs)
  * FIXME - one-by-one we want to widdle down this list, instead replacing each needed set path with API operations
  */
-acceptablePUTPaths = _.reduce(require('./../../models/user').schema.paths, function(m,v,leaf){
-  var found= _.find('achievements filters flags invitations lastCron party preferences profile stats inbox'.split(' '), function(root){
-    return leaf.indexOf(root) == 0;
+acceptablePUTPaths = _.reduce(require('./../../models/user').schema.paths, (m, v, leaf) => {
+  let updatablePaths = 'achievements filters flags invitations lastCron party preferences profile stats inbox'.split(' ');
+  let found = _.find(updatablePaths, (rootPath) => {
+    return leaf.indexOf(rootPath) === 0;
   });
-  if (found) m[leaf]=true;
-  return m;
-}, {})
 
-_.each('stats.class'.split(' '), function(removePath){
+  if (found) m[leaf] = true;
+
+  return m;
+}, {});
+
+restrictedPUTSubPaths = 'stats.class'.split(' ');
+
+_.each(restrictedPUTSubPaths, (removePath) => {
   delete acceptablePUTPaths[removePath];
-})
+});
+
+let requiresPurchase = {
+  'preferences.background': 'background',
+  'preferences.shirt': 'shirt',
+  'preferences.size': 'size',
+  'preferences.skin': 'skin',
+  'preferences.hair.bangs': 'hair.bangs',
+  'preferences.hair.base': 'hair.base',
+  'preferences.hair.beard': 'hair.beard',
+  'preferences.hair.color': 'hair.color',
+  'preferences.hair.flower': 'hair.flower',
+  'preferences.hair.mustache': 'hair.mustache',
+};
+
+let checkPreferencePurchase = (user, path, item) => {
+  let itemPath = `${path}.${item}`;
+  let isDefaultPreference = _.get(shared.content.defaultAppearancePreferences, itemPath);
+
+  if (isDefaultPreference) return true;
+
+  return _.get(user.purchased, itemPath);
+};
 
 /**
  * Update user
@@ -302,21 +331,31 @@ _.each('stats.class'.split(' '), function(removePath){
  * PUT /user {'stats.hp':50, 'tasks.TASK_ID.repeat.m':false}
  * See acceptablePUTPaths for which user paths are supported
 */
-api.update = function(req, res, next) {
-  var user = res.locals.user;
-  var errors = [];
+api.update = (req, res, next) => {
+  let user = res.locals.user;
+  let errors = [];
+
   if (_.isEmpty(req.body)) return res.json(200, user);
 
-  _.each(req.body, function(v, k) {
-    if (acceptablePUTPaths[k])
+  _.each(req.body, (v, k) => {
+    let purchasable = requiresPurchase[k];
+
+    if (purchasable && !checkPreferencePurchase(user, purchasable, v)) {
+      return errors.push(`Must purchase ${v} to set it on ${k}`);
+    }
+
+    if (acceptablePUTPaths[k]) {
       user.fns.dotSet(k, v);
-    else
+    } else {
       errors.push(shared.i18n.t('messageUserOperationProtected', { operation: k }));
+    }
     return true;
   });
-  user.save(function(err) {
+
+  user.save((err) => {
     if (!_.isEmpty(errors)) return res.json(401, {err: errors});
     if (err) return next(err);
+
     res.json(200, user);
     user = errors = null;
   });